This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 16%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDD%3C/text%3E%3C/svg%3E)
I configured a custom b2c policy for the sign-up/sign-in flow that uses SAML for token exchange. I would like to understand how to control the token lifetime (SAML) and session duration.
The session duration should be 4 hours, to prevent the user from continuing to re-enter credentials I would like to be able to configure an idle timeout so that the session is disconnected if there is no interaction.
Also I would like if the user closes the browser without logging out, when reopened it will prompt for credentials
Is all of this possible? At the moment I'm not using offline_access scope on app registration.
At the moment I have only tried putting this in my RP file:
<RelyingParty>
<DefaultUserJourney ReferenceId="SignUpOrSignInMFAOption" />
<UserJourneyBehaviors>
<SingleSignOn Scope="Application" />
<SessionExpiryType>Rolling</SessionExpiryType>
<SessionExpiryInSeconds>900</SessionExpiryInSeconds>
</UserJourneyBehaviors>
<TechnicalProfile Id="PolicyProfile">
<DisplayName>PolicyProfile</DisplayName>
<Protocol Name="SAML2" />
Hello @Denis Dal Molin ,
Thanks for posting your query on Microsoft Q&A. PDB answers to your ask as follows:
To define a session duration for SAML you could use "TokenLifeTimeInSeconds" in Saml2AssertionIssuer technical profile metadata.
As per https://learn.microsoft.com/en-us/azure/active-directory-b2c/saml-issuer-technical-profile#metadata TokenLifeTimeInSeconds specifies the life of the SAML Assertion. This value is in seconds from the NotBefore value referenced above. The default value is 300 seconds (5 Min).
When a user successfully authenticates with a local or social account, Azure AD B2C stores a cookie-based session on the user's browser. The cookie is stored under the Azure AD B2C tenant domain name, such as https://contoso.b2clogin.com.
From an application's perspective, the validity period of the token is specified by the NotOnOrAfter value of the <conditions …> element in the token. After the validity period of the token has ended, the client must initiate a new authentication request, which will often be satisfied without interactive sign in as a result of the Single Sign On (SSO) Session token.
The token is used to initialize a session to the user and is used for as long as the session has not expired. The 'NotOnOrAfter' attribute of the token isn't checked, only if a new session needs to be created the 'NotOnOrAfter' value of the token is checked.
So, a user that is actively using the site will never lose his session but with the current way they use progress once the expiration of the token took place, the user loses access to the system and needs to sign in again.
I would like if the user closed the browser without logging out, when reopened it will prompt for credentials
This could be achieved for local accounts only by removing /excluding Keep me signed in (KMSI) claim, when you enable the feature, users can opt to stay signed in, so the session remains active after they close the browser. The reference sample could be found https://github.com/azure-ad-b2c/unit-tests/blob/main/session/Session_KeepAliveInDays.xml
Also, the SAML IDP metadata should have ForceAuthN set to true
Passes the ForceAuthN value in the SAML authentication request to determine if the external SAML IDP will be forced to prompt the user for authentication. By default, Azure AD B2C sets the ForceAuthN value to false on initial login. If the session is then reset (for example by using the prompt=login in OIDC) then the ForceAuthN value will be set to true. Setting the metadata item as shown below will force the value for all requests to the external IDP. Possible values: true or false. Ref: https://learn.microsoft.com/en-us/azure/active-directory-b2c/saml-identity-provider-technical-profile#metadata
Please do let me know if you have any further queries for me in the comments section.
Thanks,
Akshay Kaushik
Please "Accept the answer", "Upvote" and rate your experience if the suggestion works as per your business need. This will help us and others in the community as well.
Hi @Akshay-MSFT
many thanks, the doubt regarding the duration of the token is clear to me now, however, what about the session?
How can I handle the idle timeout? how should I configure the session duration in relation to the saml token lifetime?
Hello @Denis Dal Molin ,
Thanks for your response. Azure AD B2C doesn't control the federated identity provider session. Instead, session behavior is determined by the federated identity provider. Please refer to https://learn.microsoft.com/en-us/azure/active-directory-b2c/session-behavior?pivots=b2c-custom-policy#federated-identity-provider-session for details about federated identity provider.
For local accounts you could define it in the SignUpOrSignin.xml User journey. Ref: https://learn.microsoft.com/en-us/azure/active-directory-b2c/session-behavior?pivots=b2c-custom-policy#configure-the-custom-policy
Where:
Rolling - Indicates that the session is extended every time the user performs a cookie-based authentication (default).
Absolute - Indicates that the user is forced to re-authenticate after the time period specified.
Thanks,
Akshay Kaushik
Please "Accept the answer", "Upvote" and rate your experience if the suggestion works as per your business need. This will help us and others in the community as well.
Hi @Akshay-MSFT
I'm using Azure AD B2C as IdP (local account).
1- so in my case what the difference to set token lifetime in relation to session lifetime from the relying party app prospective?
2- if I need to implet the idle timeout I have to set the session expire type to rolling
Hello @Denis Dal Molin
Please find below answers inline:
When a user successfully authenticates with a local or social account, Azure AD B2C stores a cookie-based session on the user's browser. The cookie is stored under the Azure AD B2C tenant domain name, such as https://contoso.b2clogin.com.
From an application's perspective, the validity period of the token is specified by the NotOnOrAfter value of the <conditions …> element in the token. After the validity period of the token has ended, the client must initiate a new authentication request, which will often be satisfied without interactive sign in as a result of the Single Sign On (SSO) Session token.
The token is used to initialize a session to the user and is used for as long as the session has not expired. The 'NotOnOrAfter' attribute of the token isn't checked, only if a new session needs to be created the 'NotOnOrAfter' value of the token is checked.
So, a user that is actively using the site will never lose his session but with the current way they use progress once the expiration of the token took place, the user loses access to the system and needs to sign in again.
Q2: If I need to implement the idle timeout, I have to set the session expire type to rolling. Yes
Thanks,
Akshay Kaushik
I have updated the answer on the top. Please "Accept the answer", "Upvote" and rate your experience if the suggestion works as per your business need. This will help us and others in the community as well.
Hi @Akshay-MSFT
thanks for the explanation, RP app side is set an idle timeout, so I can't understand if I need to configure the session type rolling and what value to enter.
what is the relationship between the timeout I enter and what is set in the app?
Hello @Denis Dal Molin ,
Thanks,
Akshay Kaushik
I have updated the answer on the top. Please "Accept the answer", "Upvote" and rate your experience if the suggestion works as per your business need. This will help us and others in the community as well.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 42%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAS%3C/text%3E%3C/svg%3E)
Hi @Akshay-MSFT
can we change the default session timeout to some hours like 8-10 hours from Azure portal Active Directory instead of code ,is it possible to do that please help me with this.
You can configure the Azure AD B2C session behavior, including:
Web app session lifetime (minutes) - The amount of time the Azure AD B2C session cookie is stored on the user's browser after successful authentication. You can set the session lifetime up to 24 hours.
Web app session timeout - Indicates how a session is extended by the session lifetime setting or the Keep me signed in (KMSI) setting. Rolling - Indicates that the session is extended every time the user performs a cookie-based authentication (default). Absolute - Indicates that the user is forced to re-authenticate after the time period specified.
Thanks,
Akshay Kaushik