Share via

User Entra authentication to Postgres flexible server

Peter Koller 55 Reputation points
2025-01-22T13:17:41.25+00:00

When using EntraID authentication is the only option for users the token based authentication flow descibed here? Our users now have to obtain a new token every hour when working with tools like PowerBI.

Azure Database for PostgreSQL

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vijayalaxmi Kattimani 3,250 Reputation points Microsoft External Staff Moderator
    2025-01-22T14:38:24.52+00:00

    Hi Peter Koller,

    Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

    As we understand that, you are encountering challenges with token-based authentication using Microsoft Entra ID.

    We would like to inform you that, the access token's validity is 5 minutes to 60 minutes. You should get the access token before initiating the sign-in to Azure Database for PostgreSQL. Existing token's lifetime will not be changed. After they expire, a new token will be issued based on the default value.

    If you need to continue to define the time period before initiating the sign in again, configure sign-in frequency in Conditional Access. To learn more about Conditional Access, please refer this link Configure authentication session management with Conditional Access.

    Please refer to the below mentioned link for more information.

    https://learn.microsoft.com/en-us/entra/identity-platform/configurable-token-lifetimes#token-lifetime-policies-for-refresh-tokens-and-session-tokens

    I hope, This response will address your query and helped you to overcome on your challenges.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

    0 comments
  2. Vijayalaxmi Kattimani 3,250 Reputation points Microsoft External Staff Moderator
    2025-01-23T09:04:15.7633333+00:00

    Hi @Peter Koller,

    Based on my research, the default validity period for a SAML token is 1 hour. The token’s validity is defined by the NotOnOrAfter value in the <conditions> element of the token.

    When the token expires, the client must request a new one. This is often done silently through Single Sign-On (SSO), so users don't have to sign in interactively again.

    The NotOnOrAfter value can be adjusted using the AccessTokenLifetime parameter in a TokenLifetimePolicy. This adjusted lifetime includes the configured value plus a 5-minute clock skew.

    However, the NotOnOrAfter value in the <SubjectConfirmationData> element is not affected by the token lifetime configuration.

    Please refer to the below mentioned link for more information.

    https://learn.microsoft.com/en-us/entra/identity-platform/configurable-token-lifetimes#saml-tokens

    I hope this information helps. Please do let us know if you have any further queries. If the answer is helpful, please click "Accept Answer" and "Upvote it".

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.