By default, Okta does not control the application session. It can only initiate it, and the application decides how long it will be valid. Optionally, the SessionNotOnOrAfter attribute can be sent to the Service Provider (SP) to specify the expiration time of a session. The SP uses this attribute to manage session validity, and it is up to the SP to terminate the session. 

This article will explain how to configure the SessionNotOnOrAfter attribute to specify a session's expiration time.

• Okta Integration Network (OIN)
• Custom SAML Applications
• Single Sign-On (SSO)

For OIN Applications

1. Navigate to Applications > select Specific Application > Sign On > Settings > Edit > Maximum App Session Lifetime.
2. Select Send value in response.
3. Enter the desired value.
4. Save.

For Custom SAML Applications

1. Navigate to Applications > select Specific Application > General > SAML Settings > Edit > Next > Show Advanced Settings > Maximum App Session Lifetime.
2. Select Send value in response.
3. Enter the desired value.
4. Save.

NOTE: Currently, Okta does not support the SessionNotOnOrAfter attribute when acting as a Service provider (SP).