Question
When configuring "Session Status" or "Cookie lifespan" in Access Control, how do these settings affect authentication with connected services (hereafter referred to as SP)? Please explain the relationship between these settings.
Answer
As a premise, the relationship between SPs such as Microsoft 365 / Google Workspace and Access Control during SSO setup is as shown in the following diagram. The SP calls Access Control as needed.
About Session Status
This item can be configured in Connected Services.
For SPs that use Single Sign-On (SAML integration), you can set the amount of time before users are required to re-authenticate.
When this setting is configured, after authentication, session information with the specified expiration time is retained in the browser or app.
If session information is retained in the browser or app (i.e., the session is valid), as shown in the diagram below, users can access the service directly without going through Access Control authentication or login condition checks.
* Depending on the SP, the "Session Status" set in Access Control may not be referenced, and the session expiration set on the SP side may take precedence.
* If the browser is set to automatically delete cookies, even if the session expiration is set on Access Control or the SP side, the session information saved in the browser will be deleted, and re-authentication may be required.
About Cookie lifespan
This item can be configured in Access Policy Groups.
If users successfully log in to the HENNGE authentication screen with "Remember this login" checked, their Access Control login status will be retained in that browser for the duration specified.
* Login information is saved per browser. If accessed from a different device or browser, users will need to enter their ID and password as usual.
When the Access Control login status is retained, even if the SP sends an authentication request to the IdP, as shown in the diagram below, users can skip the login operation (such as entering ID and password) on the Access Control authentication screen and smoothly access each service.
Even if the login operation is skipped, access control by access policy is still enforced and recorded in the Access Logs.
* To display "Remember this login" on the login screen, you must first set [Show "Remember this login"] to [View] in [Domain Settings] in the Administration.
* The authentication cookie is a feature that works on browsers. It may not function in non-browser applications (such as Office Apps).
* If the browser is set to automatically delete cookies, you will be prompted to log in every time, even if this feature is enabled.
Reference
[Access Control] You are repeatedly prompted to log in to connected services (frequent authentication required)
[Access Control] Why am I not prompted for authentication when accessing connected services?