We’ve got an app that is set up for authenticating via Okta SAML, and we want to set our app to honor session timeout policies set by organizations via Okta. Examining the raw XML response on a test org, it seems Okta is not sending the “SessionNotOnOrAfter” attribute.
Do I need to configure something in the Okta admin console to send the SessionNotOnOrAfter? I’ve added a new sign-on rule on the Authentication / Sign-On page for my test org (https://.okta.com/admin/access/policies#sign-on), to set a custom “session expires after” value. Is there another place to set the session timeout? Or would this value be sent as a different attribute than “SessionNotOnOrAfter”?
And if this is being set correctly, is there some additional configuration I need to do to include this value in the SAML response? Do I need to set up an inline hook to request that Okta sends this attribute? As mentioned here:
I just verified the assertion in my environment and I can see NotOnOrAfter attribute populated. It’s buried deep into the body of the assertion, so maybe you just missed it.
"I have looked at the issue from our side unfortunately, we don’t offer any functionality in regards to the session timeout value. The SP provider … would be responsible. "
So Okta doesn’t offer any capabilities for sending SessionNotOnOrAfter, or any other session timeout value, to SPs as part of the SAML auth flow.