We’ve got an app that is set up for authenticating via Okta SAML, and we want to set our app to honor session timeout policies set by organizations via Okta. Examining the raw XML response on a test org, it seems Okta is not sending the “SessionNotOnOrAfter” attribute.
Do I need to configure something in the Okta admin console to send the SessionNotOnOrAfter? I’ve added a new sign-on rule on the Authentication / Sign-On page for my test org (https://.okta.com/admin/access/policies#sign-on), to set a custom “session expires after” value. Is there another place to set the session timeout? Or would this value be sent as a different attribute than “SessionNotOnOrAfter”?
And if this is being set correctly, is there some additional configuration I need to do to include this value in the SAML response? Do I need to set up an inline hook to request that Okta sends this attribute? As mentioned here:
- SAML Assertion Inline Hook
Thanks in advance for any insights!