Best Practice for Session Value & Departing User Workflow Skip to main content
https://support.okta.com/help/answers?id=906f0000000blnkiai&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
ThomasThomas (Okta, Inc.)  

Best Practice for Session Value & Departing User Workflow

I'm trying to understand the best practice for setting the Okta "Session Lifetime". I understand that the session value can be set between 1 minute and 12 hours. I realize that different…

Original Author: Andrew Wild  awild@lancope.com
Best Answer chosen by Thomas (Okta, Inc.) 
ThomasThomas (Okta, Inc.) 
Hi Andrew,

In the scenario you describe the frequency of your sync jobs (and other org flag settings like federated profiles) will have a big impact and make it nearly impossible to predict the exact behavior thus it is still important to ensure your session lifetime aligns with your security requirements.

As soon as the users account has been deactivated in Okta they will be unable to interact with the Okta UI (existing session or not).

So in your scenario with a 4 hour session.

   I login at 8am
   my account (in AD) is disabled at 10 due to termination
   A sync job starts at 10:15 and finishes at 10:30 during which the disabled status is reflected on my okta account
   I click on an application in Okta at 10:31, i am taken to an application specific login page and my primary okta page presents an authentication prompt.


Hope that helps,

-Matt
Original Author:  Matt Egan  matthew.egan@varian.com