Session Expiration using the Org Authorization Server (OIDC)

Gerwin · June 29, 2018, 7:03am

Hello,

Currently we’re developing an MVC application with Okta IDP support. We implemented the solution as described on this Okta example from the OktaDeveloper GIT repo.
We have a very explicit wish, namely the Session should expire after 5 minutes inactivity, and the user should login again. So not just the IIS Session, but also the Okta tokens should be invalid after 5 minutes of inactivity.

There seems to be a problem with the way i setup the Okta-API settings, because the Session expires, but the session on Okta seems to remain valid. I went to Security => API, selected the Default Auth. server and added a new access policy, and disable the default.

The new Settings sets all lifetimes on 5 minutes (minimum) and the expiration (‘but will expire if not used every’) (of the Refreshtoken ??) also on 5. No matter what settings i use, i always keep my sesions with Okta unless i logout of the Application (or explicitly on the Okta interface)

What setting/Implementation do i need to be able to do as described …

G. Postma

vijet · June 29, 2018, 5:14pm

Hi @Gerwin,

The rule you added will only affect the lifetime of the tokens generated by the default Auth Server (which is different than Okta’s Auth server)
To change the session timeout of users logging to Okta’s auth server, you need to update the default sign-on policy which sets the session timeout to 2 hours.
Here are the steps -

Switch to classic view (Click on the text Developer Console on the top and select Classic View)
Go to Security -> Authentication
Click on sign-on and with Default policy selected, add a new rule with settings as shown below

rule.jpg2064×1582 190 KB
Click “Create Rule” and this rule should take priority in your sign-on policy

You can find some more information if you need here - https://support.okta.com/help/answers?id=906F0000000I0NqIAK (Screens might be slightly dated)

Hope this helps.