Articles in this section

See more

Authenticated timeout or duration, how long can a user stay logged-in?

Greg Hudson
  • Updated
Follow

Question:
How long will user-sessions remain active in Domino Data Lab, what are the factors around timeout and re-login?

 

ANSWER:

It depends on your values for SSO Session Idle and SSO Session Max. You will need to review Keycloak settings for your specific implementation to answer this question.  These three steps will give you access to keycloak settings:

1. Gather your password via

kubectl get secret -n domino-platform keycloak-http -ogo-template='{{.data.password | base64decode}}'; echo

2. Browse https://your domino-domain /auth/

3. User name for the site above is keycloak, choose DominoRealm, then navigate to "Realm Settings" -> "Tokens" to view the settings.

 

There are three interesting settings found in Keycloak that impact the timeout of the user-session.  

 

1. SSO Session Max is the maximum amount of time someone can be logged-in to Domino Data Lab before their user-session would be logged out and they would be pushed back thru the authentication process.   No matter how long they keep their browser sessions open this is the total duration before they'll be logged out.

 

2. SSO Session Idle - If a user is inactive for longer than this timeout, the user-session is invalidated.
If the user closes their browser window or navigates away from your Domino instance pages they are considered inactive.   So if they navigate away or close the browser, then the user-session will timeout when the “SSO Session Idle” time elapses since they left a Domino page.   Once timed-out they'll be pushed back thru authentication.    

(If the user never closes their browser and remains on a Domino page this SSO Session Idle will never elapse and they'll remain logged-in until the SSO Session Max is exceeded)

 

3. Access Token Lifespan This defines how long our access token is valid. Domino will not check the validity of the user’s authentication with Keycloak until this token expires. So, for example, if a customer admin kills the Keycloak session for a particular user (or all users), Domino won’t recognize this until the access token expires, so a user might not be routed to the login page for some time based on this value.  We recommend this be set to something short, like 5 minutes.

 

Note - the above applies to Domino Data Lab 4.x thru at least 5.3.x

 

 

 

 

Related articles

Comments

0 comments

Please sign in to leave a comment.