Custom Session Timeouts for Okta
Organization that use SAML authorization can set up custom session timeouts. By default, a Sigma user session is 30 days. Once a user logs in to Sigma, their session lasts for 30 days, unless they explicitly log out before then. Security-minded admins may want to force their users to log out and log back in more often than this.
To set up a custom session time out, you must have SAML enabled for your organization and admin access to your SAML provider.
Setup
To enforce a custom session length for your users, follow these steps:
- Enable SAML SSO to your Sigma workspace.
- Verify that you have admin privileges within your SAML provider.
- In your SAML provider, set the refreshTokenTimeoutSecs SAML attribute in your Sigma app.
- The value must be a positive integer.
- The units are in seconds; if you want your users to reauthenticate every 8 hours, set the value to (8 hours) * (60 minutes/hour) * (60 seconds/minute) = 28800.
- Save all changes in your SAML provider.
- The next time your users log out and log in to Sigma, your custom session timeout is applied.
Details
Like many SaaS apps, Sigma uses a two-tiered token system for authentication. Users are granted a long-lived refresh token which they can use to get short-lived access tokens. They then use the access tokens for authentication and authorization within Sigma.
The custom session timeout feature allows SAML admins to configure the lifetime of the long-lived refresh token. However, this feature does not affect the lifetime of the short-lived access tokens, which are always valid for one hour.
This means that if you configure your refresh tokens to be valid for 8 hours, users could theoretically stay logged in for up to 9 hours if they happen to get a new access token (lifetime 1 hour) right before their refresh token (lifetime 8 hours) expires.
Test your configuration
For a complete end-to-end test, you should:
- Configure a custom session timeout as described above.
- Log out of Sigma.
- Log back into Sigma.
- Wait for your session timeout + one hour.
- Verify that you've been logged out.
To quickly verify that you configured your SAML settings correctly: view your SAML assertion directly to verify that the correct value is set.
- Get the SAML assertion from your SAML provider:
- Most SAML providers allow you to generate an example assertion for any app. The instructions are different for different SAML providers, so check your provider's documentation.
- Get the SAML assertion from Sigma:
- Log out of Sigma.
- Open up your browser's developer tools and navigate to the network pane.
- Log in to Sigma using SSO.
- In the network pane, locate the request to the "assert" endpoint (this request should be very early in the request log) and click on it.
- In the network pane, find the parameters for this request (in Firefox, this is under "Params"; in Chrome it's under "Headers > "Form Data")
- Find the SAMLRequest form parameter and copy the value.
- That value is encoded in base 64 You must decode it.
- DO NOT use a web-based base 64 decoder. Your SAML assertion is essentially your username and password - if somebody accesses it, they can log in to Sigma and impersonate you.
- If you're on a Mac, run `pbpaste | base64 -D > saml.xml` from your terminal.
- If you're on Linux, paste the value into a plain text file and run `base64 -d $FILE_NAME > saml.xml` from your terminal.
- If you're on Windows, paste the value into a plain text file and run `certutil -decode $FILE_NAME saml.xml` from your terminal.
- Open saml.xml in your favorite editor and, optionally, make it a little easier to read.
- Add newlines after each ">" character (find and replace usually works here).
- If your editor supports it, auto-indent the file.
- Look for the AttributeStatement section of the XML document and check that your custom value for refreshTokenTimeoutSecs is present. It should look something like this:
<saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Attribute Name="firstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
YOUR FIRST NAME</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="lastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
YOUR LAST NAME</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="refreshTokenTimeoutSecs" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
28800</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>