How to set SessionNotOnOrAfter attribute in Entra ID?

Jestin Ma 20 Reputation points
2024-04-01T16:45:34.9233333+00:00

GitHub supports the SessionNotOnOrAfter attribute in the AuthnStatement element.

https://docs.github.com/en/enterprise-cloud@latest/admin/identity-and-access-management/iam-configuration-reference/saml-configuration-reference#session-duration-and-timeout

However, I do not see that attribute in the SAML docs for Entra.

https://learn.microsoft.com/en-us/entra/identity-platform/single-sign-on-saml-protocol


Can anyone confirm whether it is possible to set this attribute from Entra ID?

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,952 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,442 questions
{count} votes

Accepted answer
  1. Marilee Turscak-MSFT 36,936 Reputation points Microsoft Employee
    2024-04-01T23:32:33.3733333+00:00

    Hi @Jestin Ma ,

    Entra ID does not support SessionNotOnOrAfter attribute and does not allow configuration of session lifetimes derived from the SAML Response.

    Github uses the SAML SessionNotOnOrAfter value on the SAML Assertion to define the relying application's session length (See Page 27 of the SAML spec: http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf_

    A potential solution would be to configure conditional access policies with session frequency.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Vasil Michev 109.5K Reputation points MVP
    2024-04-01T17:29:06.6966667+00:00

    Have you looked at the refreshTokensValidFromDateTime attribute? Here's the corresponding Graph method: https://learn.microsoft.com/en-us/graph/api/user-invalidateallrefreshtokens?view=graph-rest-beta&tabs=http


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.