Activity-based timeout policy

testuser7 271 Reputation points
2020-11-20T19:30:30.897+00:00

Hello,

I have a disconnect with respect to activity-based timeout policy  and its usefulness.
How come AAD be involved in the idle-time-out implementation of web-app session ?
Should not an Idle-Timeout  come from the application itself, and if a timeout is detected, the application can invalidate the existing token (although it’s lifetime may still be valid) and redirect the user back to AAD.

So if I have set activity-based timeout  for one web-app (for eg., portal.azure.com)  as 2 hours.
When AAD sends the SAML/ID-token to the app,  would  AAD sends out this activity-based timeout   information so that if application supports it , it can notify the user if user is staring the app-screen for 2 hours.

Am I correct in my understanding ?

Thanks.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,661 questions
{count} votes

2 answers

Sort by: Most helpful
  1. testuser7 271 Reputation points
    2020-11-24T14:38:38.84+00:00

    Thanks @MarileeTurscak for taking out time and sorry for not explaining my point clearly. Let me retry it.

    Basically, if I play it out in a flow...

    user hits SAML web-app i.e., https://myapp.com
    app redirects user to AAD
    AAD finish authentication and redirect user back to the app with SAML token
    App validates the token and show the user the home-screen of the app

    Now if user does not carry out any activity on the app and just keep the browser window open for 1 hour, app wants to send notification to the user that you will be logged out in 5 min. if you do not send any request.
    If user does not do anything, app can use its java-script and send a sign-out request to AAD and AAD will close the SSO-session.
    In that flow, the web-app side session/cookie will also be invalidated with the help of post_logout_redirect_uri

    As you can see this idle-time-out implementation of web-app session is totally application side of work.
    What is the role of AAD in triggering this ?
    And hence how the activity-based timeout policy helps ?

    Thanks.

    0 comments No comments

  2. testuser7 271 Reputation points
    2020-12-11T14:14:27.75+00:00

    Hope my request was not too illogical.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.