SaravananP.50924 (Customer) asked a question.
Okta login page idle timeout configuration.
I have a spring based web application integrated with okta for saml sso. During the login process, the request from the web app opens up the IDP login page. If the user does not respond immediately or the login page is left idle for 2 minutes or > 2 minutes, it results in an error even if the credentials are proper. I believe that the request that was formed has a timeout and due to that it results in an error after 2 minutes.
If that is the case where do we set/configure the idle time out?
Hi Saravanan P K
We need to take into account that SAML is only responsible for the user`s sign in and cannot directly control the users session after the sign in.Session lifetime is indeed handled from the application side rather than from Okta.
Okta only takes care of the authentication, and once the authentication has succeeded, at that point everything else is handled by the application itself, including the session lifetime.
There is also a setting in Okta that will prompt users for reauthentication if they try to access the target app after a specific amount of minutes, but it will not affect the current session , it is located under the sign on settings[Sign On Policy] for the specific app in Okta that you can configured
https://help.okta.com/en/prod/Content/Topics/Security/policies/configure-app-signon-policies.htm
I am sorry. I understand that Okta session and application session are different. I am talking about the idle timeout at the login page. If the user does not enter the credentials and leave the login page idle for 2 minutes or more, and later if the credentials are entered and submitted. In this case, the authentication doesn't work for valid credentials. I believe there is a timeout that is formed before coming to the login page.
If the user enters the credentials within 2 minutes, the authentication is successful and the web application is opened up. Thanks for your time.
Hi Saravanan Pk
Okta does not control application sessions, as stated before it will be handled by the app .
Our recommendation is to open a Support Case at some point if you consider you need to check further information.
Thanks.
Well, application session is out of scope in this question. Here is the flow. A web app is integrated with OKTA for SSO SAML. The web app login navigates the login request to OKTA saml login and if user is not authenticated, login page from OKTA is opened up. Now, the login page has come up from OKTA and the user leaves the login page idle for 2 minutes or more.
There is no application here. The control is still with OKTA.
After 2 minutes if the user enters the credentials, OKTA says the request is invalid. If the credentials are entered within 2 minutes, OKTA validates it successfully and opens the web application dashboard as per the configuration.