Share via

How to set SessionNotOnOrAfter attribute in Entra ID?

Jestin Ma 20 Reputation points
2024-04-01T16:45:34.9233333+00:00

GitHub supports the SessionNotOnOrAfter attribute in the AuthnStatement element.

https://docs.github.com/en/enterprise-cloud@latest/admin/identity-and-access-management/iam-configuration-reference/saml-configuration-reference#session-duration-and-timeout

However, I do not see that attribute in the SAML docs for Entra.

https://learn.microsoft.com/en-us/entra/identity-platform/single-sign-on-saml-protocol

Can anyone confirm whether it is possible to set this attribute from Entra ID?

Microsoft Security | Microsoft Entra | Microsoft Entra External ID
Microsoft Security | Microsoft Entra | Microsoft Entra ID
Answer accepted by question author
  1. Marilee Turscak-MSFT 37,271 Reputation points Microsoft Employee Moderator
    2024-04-01T23:32:33.3733333+00:00

    Hi @Jestin Ma ,

    Entra ID does not support SessionNotOnOrAfter attribute and does not allow configuration of session lifetimes derived from the SAML Response.

    Github uses the SAML SessionNotOnOrAfter value on the SAML Assertion to define the relying application's session length (See Page 27 of the SAML spec: http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf_

    A potential solution would be to configure conditional access policies with session frequency.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vasil Michev 123.6K Reputation points MVP Volunteer Moderator
    2024-04-01T17:29:06.6966667+00:00

    Have you looked at the refreshTokensValidFromDateTime attribute? Here's the corresponding Graph method: https://learn.microsoft.com/en-us/graph/api/user-invalidateallrefreshtokens?view=graph-rest-beta&tabs=http

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.