Question
When using services integrated with Access Control, such as Microsoft 365 or Google Workspace (hereafter referred to as SP), the Access Control login screen (authentication screen) appears repeatedly, and authentication is frequently required. Please tell me how to configure settings or what points to check in order to keep the login state for a longer period and reduce the number of authentication prompts.
Answer
If the session expiration time for Access Control or the SP is set to a short period, or if the browser's security settings are deleting login information, you may be prompted to re-authenticate frequently.
To reduce the frequency of logins, please check the following settings.
Cookie lifespan Settings
This setting determines how long the login state is retained in the browser after successfully logging in from the Access Control authentication screen.
With this, even if the SP sends another authentication request to Access Control, you can skip the login operation as long as the Access Control login state is retained in the browser.
-
From the Access Control Administration, go to the Access Policy Groups settings screen, select the desired Access policy group, and set the Cookie lifespan to your preferred value.
[Access Control] Creating / Editing Access Policy Groups -
Set Show "Remember this login" under Domain Settings to View.
[Access Control] Login Screen Settings -
When users log in, check "Remember this login" on the authentication screen to keep the cookie in the browser for the period set in step 1 (unless the user logs out manually).
* If this is not checked, the user will be logged out when the browser is closed, regardless of the setting.
Session duration (in hours) Settings
This setting determines how long after logging in a Single Sign-On (SAML-integrated) SP will wait before requiring re-authentication.
* How this value is handled depends on each SP.
See also: SP Session Settings
- Open Edit Connected Service from the Access Control Administration.
- Set the value for Session duration (in hours) in the settings for the relevant SP.
SP Session Settings
Depending on the SP, the session expiration set in Access Control may not be referenced, and the session expiration set on the SP side may take precedence.
If you have set the "Session duration (in hours)" but are still frequently prompted for authentication, please check the session retention settings on the SP side.
For example, Microsoft and Google have published the following articles regarding session retention periods:
- Microsoft 365 session timeouts (external link)
- Set session length for Google services (external link)
* The behavior and session management specifications on the SP side may change in the future due to changes in the specifications of each cloud service.
Check your browser settings
Even if you have configured settings on Access Control or the SP side, login information may be deleted depending on the browser settings used by the user.
If only specific users are frequently prompted to log in, please check the following:
- Is the browser set to automatically delete cookies when closed?
- Are you accessing in a mode that does not save history (such as incognito mode or private window)?
- Is the setting to block third-party cookies enabled?
Reference
[Access Control] Relationship between "Session duration (in hours)" and "Cookie lifespan" for connected services
[Access Control] Why am I not prompted for authentication when accessing a connected service?