How to set SessionNotOnOrAfter attribute in Entra ID?

Jestin Ma 20 Reputation points
2024-04-01T16:45:34.9233333+00:00

GitHub supports the SessionNotOnOrAfter attribute in the AuthnStatement element.

https://docs.github.com/en/enterprise-cloud@latest/admin/identity-and-access-management/iam-configuration-reference/saml-configuration-reference#session-duration-and-timeout

However, I do not see that attribute in the SAML docs for Entra.

https://learn.microsoft.com/en-us/entra/identity-platform/single-sign-on-saml-protocol


Can anyone confirm whether it is possible to set this attribute from Entra ID?

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,629 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,306 questions
{count} votes

Accepted answer
  1. Marilee Turscak-MSFT 33,621 Reputation points Microsoft Employee
    2024-04-01T23:32:33.3733333+00:00

    Hi @Jestin Ma ,

    Entra ID does not support SessionNotOnOrAfter attribute and does not allow configuration of session lifetimes derived from the SAML Response.

    Github uses the SAML SessionNotOnOrAfter value on the SAML Assertion to define the relying application's session length (See Page 27 of the SAML spec: http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf_

    A potential solution would be to configure conditional access policies with session frequency.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Vasil Michev 94,206 Reputation points MVP
    2024-04-01T17:29:06.6966667+00:00

    Have you looked at the refreshTokensValidFromDateTime attribute? Here's the corresponding Graph method: https://learn.microsoft.com/en-us/graph/api/user-invalidateallrefreshtokens?view=graph-rest-beta&tabs=http