How to access session timeout in SAML response?


We’ve got an app that is set up for authenticating via Okta SAML, and we want to set our app to honor session timeout policies set by organizations via Okta. Examining the raw XML response on a test org, it seems Okta is not sending the “SessionNotOnOrAfter” attribute.

Do I need to configure something in the Okta admin console to send the SessionNotOnOrAfter? I’ve added a new sign-on rule on the Authentication / Sign-On page for my test org (, to set a custom “session expires after” value. Is there another place to set the session timeout? Or would this value be sent as a different attribute than “SessionNotOnOrAfter”?

And if this is being set correctly, is there some additional configuration I need to do to include this value in the SAML response? Do I need to set up an inline hook to request that Okta sends this attribute? As mentioned here:

Thanks in advance for any insights!

I just verified the assertion in my environment and I can see NotOnOrAfter attribute populated. It’s buried deep into the body of the assertion, so maybe you just missed it.

Hi Philipp,

I’m looking for the “SessionNotOnOrAfter” attribute, rather than the “NotOnOrAfter” attribute.

Sorry, Sarah, not quite familiar with SAML specification. Checked the difference in StackOverflow Question though.

I honestly don’t know if Okta uses this attribute in the assertions being issued. Better to ask Support, I guess.

Update: Okta has responded with the following:

"I have looked at the issue from our side unfortunately, we don’t offer any functionality in regards to the session timeout value. The SP provider … would be responsible. "

So Okta doesn’t offer any capabilities for sending SessionNotOnOrAfter, or any other session timeout value, to SPs as part of the SAML auth flow.