Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Additional Configuration

Managing user sessions

search

Please Note:

printsuggest an edit

Managing user sessions

When users log into realms, SafeNet Access Exchange maintains a user session for each user and remembers each client visited by the user within the session. Realm administrators can perform multiple actions on each user session:

  • View login statistics for the realm.
  • View active users and where they logged in.
  • Log a user out of their session.
  • Revoke tokens.
  • Set up token timeouts.
  • Set up session timeouts.

copy link to clipboardAdministering sessions

To see a top-level view of the active clients and sessions in SafeNet Access Exchange, click Sessions from the menu.

alt_text

copy link to clipboardSigning out all active sessions

You can sign out all users in the realm. From the Action list, select Sign out all active sessions. All SSO cookies become invalid. SafeNet Access Exchange notifies clients by using the SafeNet Access Exchange OIDC client adapter of the logout event. Clients requesting authentication within active browser sessions must log in again. Client types such as SAML do not receive a back-channel logout request.

Note

Clicking Sign out all active sessions does not revoke outstanding access tokens. Outstanding tokens must expire naturally. For clients using the SafeNet Access Exchange OIDC client adapter, you can push a revocation policy to revoke the token, but this does not work for other adapters.

copy link to clipboardViewing client sessions

Procedure

  1. Click Clients in the menu.

  2. Click the Sessions tab.

  3. Click a client to see that client’s sessions.

copy link to clipboardViewing user sessions

Procedure

  1. Click Users in the menu.
  2. Click the Sessions tab.
  3. Click a user to see that user’s sessions

copy link to clipboardRevoking active sessions

If your system is compromised, you can revoke all active sessions and access tokens.

Procedure

  1. Click Sessions in the menu.

  2. From the Actions list, select Revocation.

alt_text

  1. Specify a time and date where sessions or tokens issued before that time and date are invalid using this console.

    • Click Set to now to set the policy to the current time and date.
    • Click Push to push this revocation policy to any registered OIDC client with the SafeNet Access Exchange OIDC client adapter.

copy link to clipboardSession and token timeouts

SafeNet Access Exchange includes control of the session, cookie, and token timeouts through the Sessions and Tokens tabs in the Realm settings menu.

alt_text

Configuration Description

SSO Session Idle

This setting is for OIDC clients only. If a user is inactive for longer than this timeout, the user session is invalidated. This timeout value resets when clients request authentication or send a refresh token request. SafeNet Access Exchange adds a window of time to the idle timeout before the session invalidation takes effect.

SSO Session Max

The maximum time before a user session expires.

SSO Session Idle Remember Me

This setting is similar to the standard SSO Session Idle configuration but specific to logins with **Remember Me** enabled. Users can specify longer session idle timeouts when they click **Remember Me** when logging in. This setting is an optional configuration and, if its value is not greater than zero, it uses the same idle timeout as the SSO Session Idle configuration.

SSO Session Max Remember Me

This setting is similar to the standard SSO Session Max but specific to **Remember Me** logins. Users can specify longer sessions when they click **Remember Me** when logging in. This setting is an optional configuration and, if its value is not greater than zero, it uses the same session lifespan as the SSO Session Max configuration.

Client Session Idle

Idle timeout for the client session. If the user is inactive for longer than this timeout, the client session is invalidated and the refresh token requests bump the idle timeout. This setting never affects the general SSO user session, which is unique. Note the SSO user session is the parent of zero or more client sessions, one client session is created for every different client app the user logs in. This value should specify a shorter idle timeout than the **SSO Session Idle**. Users can override it for individual clients in the **Advanced Settings** client tab. This setting is an optional configuration and, when set to zero, uses the same idle timeout in the SSO Session Idle configuration.

Client Session Max

The maximum time for a client session and before a refresh token expires and invalidates. As in the previous option, this setting never affects the SSO user session and should specify a shorter value than the **SSO Session Max**. Users can override it for individual clients in the **Advanced Settings** client tab. This setting is an optional configuration and, when set to zero, uses the same max timeout in the SSO Session Max configuration.

Offline Session Idle

This setting is for offline access. The amount of time the session remains idle before SafeNet Access Exchange revokes its offline token. SafeNet Access Exchange adds a window of time to the idle timeout before the session invalidation takes effect.

Offline Session Max Limited

This setting is for offline access. If this flag is Enabled, Offline Session Max can control the maximum time the offline token remains active, regardless of user activity. If the flag is Disabled, offline sessions never expire by lifespan, only by idle. Once this option is activated, the Offline session Max (global option at realm level) and Client Offline Session Max (specific client level option in the Advanced Settings tab) can be configured.

Offline Session Max

This setting is for offline access, and it is the maximum time before SafeNet Access Exchange revokes the corresponding offline token. This option controls the maximum amount of time the offline token remains active, regardless of user activity.

Login timeout

The total time a logging in must take. If authentication takes longer than this time, the user must start the authentication process again.

Login action timeout

The Maximum time users can spend on any one page during the authentication process.

copy link to clipboardTokens tab

alt_text

Configuration Description

Default Signature Algorithm

The default algorithm used to assign tokens for the realm.

Revoke Refresh Token

When Enabled, SafeNet Access Exchange revokes refresh tokens and issues another token that the client must use. This action applies to OIDC clients performing the refresh token flow.

Access Token Lifespan

When SafeNet Access Exchange creates an OIDC access token, this value controls the lifetime of the token.

Access Token Lifespan For Implicit Flow

With the Implicit Flow, SafeNet Access Exchange does not provide a refresh token. A separate timeout exists for access tokens created by the Implicit Flow.

Client login timeout

The maximum time before clients must finish the Authorization Code Flow in OIDC.

User-Initiated Action Lifespan

The maximum time before a user’s action permission expires. Keep this value short because users generally react to self-created actions quickly.

Default Admin-Initiated Action Lifespan

The maximum time before an action permission sent to a user by an administrator expires. Keep this value long to allow administrators to send e-mails to offline users. An administrator can override the default timeout before issuing the token.

Email Verification

Specifies independent timeout for email verification.

IdP account email verification

Specifies independent timeout for IdP account email verification.

Forgot password

Specifies independent timeout for forgot password.

Execute actions

Specifies independent timeout for execute actions.

Note

For idle timeouts, a two-minute window of time exists that the session is active. For example, when you have the timeout set to 30 minutes, it will be 32 minutes before the session expires.

This action is necessary for some scenarios in cluster and cross-data center environments where the token refreshes on one cluster node a short time before the expiration and the other cluster nodes incorrectly consider the session as expired because they have not yet received the message about a successful refresh from the refreshing node.

On this page