Enforce a limited session lifetime for all policies

Session lifetime determines the maximum idle time of an end user's sign-on session to Okta. Lowering this value decreases the risk of malicious third party access to a user's applications from an active session.

The maximum time allowed time for this setting is 90 days. The default session lifetime is 2 hours. On the end-user dashboard, a countdown timer appears at the 5-minute mark of remaining session time.

 

HealthInsight: Why is this task recommended?


This a HealthInsight security task. For more security recommendations from Okta, see HealthInsight.

Enforce a limited session lifetime in your orgThe Okta container that represents a real-world organization. policies to reduce the risk of malicious third party access to an end user's applications (when an end-user session is active).

Security impact: High

End-user impact: Moderate

Okta recommends: A session lifetime of 2 hours or less.

 

End-user experience and impact


End usersIn Okta literature, we generally refer to "end users" as the people who have their own Okta home page (My Applications), using apps to authenticate into all of their apps. End users do not have any administrative control. When we refer to "users" we are generally referring to the individual(s) who have administrative control. using the end user dashboard will receive a countdown prompt based on the set duration once there are five minutes remaining in the active session.

 

Procedure


To set the session lifetime for a policy:

  1. From the adminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. console, navigate to Security > AuthenticationAuthentication is distinct from authorization, which is the process of giving individuals access to system objects based on their identity. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual. Authentication methods and protocols include direct auth, delegated auth, SAML, SWA, WS-Fed, and OpenID Connect..
  2. Click Sign On.
  3. Click Add Rule or Edit to modify an existing policy rule.
  4. Under Session expires after, set the session lifetime duration in minutes, hours, or days.

    Blacklisting an IP zone from the admin console.

  5. Click Create Rule or Save Rule once your changes have been made.

 

Related topics


 

 

 

Top