MarcD.11236 (Omada Health) asked a question.
Looking at the NIST SP 800-63B guidelines specific to AAL2 Reauthentication, it reads..
"Periodic reauthentication of subscriber sessions SHALL be performed as described in Section 7.2. At AAL2, authentication of the subscriber SHALL be repeated at least once per 12 hours during an extended usage session, regardless of user activity. Reauthentication of the subscriber SHALL be repeated following any period of inactivity lasting 30 minutes or longer. The session SHALL be terminated (i.e., logged out) when either of these time limits is reached."
From what I have read Session lifetime determines the maximum idle time of an end user's sign-on session to Okta.
However, this doesn't necessarily conform to the AAL2 standards.
If you set a Session timeout in the Sign-On policy of Okta for 30 minutes that works BUT as long as you are active, you can keep going.
AAL2 says even if you surpass the 30 minutes, you need to be reauthenticated regardless of activity after 12 hours.
So how does one create a policy that allows for a 30 minute session time out (that's easy) but then FORCE a full reauthentication after 12 hours regardless of activity?
Do you make the factor last 12 and the session last 30 minutes? Thus the prompt for factor would take over as that expired but the session has 30 minutes?
Assuming you surpass the 30 minutes at 12 hours your factor would have expired and you would get prompted?
That's the question...
It doesn't really... not to technical standards as written.
Furthermore, you can't control sessions once a user has gone thru to the actual app in another tab. So you can set the timeouts to whatever you want and it's out of the control of Okta at that point.. except for AWS which does appear to pass session info to the open tab and indeed will close that app.