<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Understanding Okta Workflows Console Sessions: Timeout Duration and IP Binding
Feb 9, 2026
Workflows
Okta Classic Engine
Okta Identity Engine
Overview

This article clarifies whether it is possible to modify the console session settings in Okta Workflows, similar to the options available in the Okta Core Admin Console/End-User Dashboard. It also explains the behavior of session timeouts, IP binding, and Continuous Access (Sign-On Policy) Evaluation (CAE).

Applies To
  • Okta Workflows Console
Solution

Session Duration

  • The Workflows console is a separate application with separate sessions. These sessions cannot be modified to match the main Okta session established by the Global Session Policy.
  • The Workflows console session is limited to 1 hour. After this hour, Workflows attempts to perform a silent Single Sign-On (SSO) re-authentication. If the Okta session has also ended, the user receives a login form in a pop-up window.
    • While the session is fixed to a one-hour period, there is also a 5-minute Sign-On Policy evaluation done as well (See CAE directly below)

 

Continuous Access (Sign-On Policy) Evaluation (CAE)

  • Since version 2025.11.0, Continuous Access Evaluation (CAE) is active. This feature re-evaluates the session against the app sign-on policy every five minutes.
  • This behavior operates alongside IP session binding but provides distinct capabilities by periodically verifying policy compliance.

 

IP Binding

  • As of version 2024.09.0, Okta Workflows has IP session restrictions enabled by default. This feature ensures that all Okta Workflows requests in a session use the same IP address logged when the session was created.
  • If the IP address does not match any request, the Workflows session is terminated, and a silent re-SSO is attempted.

 

Troubleshooting

  • For session termination issues that occur at random intervals, verify that the IP address remains consistent throughout the session.
    • This can be seen in the system log for the Actor as the user logged in, and the Workflows app as the target - checking the IPs logged for the Actor at the time of the session getting terminated
  • If session invalidation occurs unexpectedly due to app sign-on policy configuration (relating to CAE), and is rather consistent after a 5-minute period, check system logs at the time of the session getting invalidated, and see what sign-on policy got evaluated compared to looking further at why the failure may have occurred.

 

Related References

Recommended content

Still looking for help?
Loading
Understanding Okta Workflows Console Sessions: Timeout Duration and IP Binding