This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 4%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJM%3C/text%3E%3C/svg%3E)
GitHub supports the SessionNotOnOrAfter attribute in the AuthnStatement element.
However, I do not see that attribute in the SAML docs for Entra.
https://learn.microsoft.com/en-us/entra/identity-platform/single-sign-on-saml-protocol
Can anyone confirm whether it is possible to set this attribute from Entra ID?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Hi @Jestin Ma , just checking to see if you were able to get the information you needed and whether you had further questions? If any of the answers provided helped you, please remember to accept the answer so that others in the community researching similar questions can more easily find a resolution. Otherwise let us know if you have further concerns.
Hi @Jestin Ma ,
Entra ID does not support SessionNotOnOrAfter attribute and does not allow configuration of session lifetimes derived from the SAML Response.
Github uses the SAML SessionNotOnOrAfter value on the SAML Assertion to define the relying application's session length (See Page 27 of the SAML spec: http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf_
A potential solution would be to configure conditional access policies with session frequency.
Have you looked at the refreshTokensValidFromDateTime attribute? Here's the corresponding Graph method: https://learn.microsoft.com/en-us/graph/api/user-invalidateallrefreshtokens?view=graph-rest-beta&tabs=http
I believe that is a separate attribute which controls SAML token lifetime. SessionNotOnOrAfter controls the session duration/timeout on the application side (after which the user will be required to re-authenticate and may or may not hit the SAML token lifetime).