SSO Sessions

In SSO, an active user session means the user has successfully logged in and the session has not yet expired. The session duration is defined when configuring client groups in the SSO Service configuration. The default timeout is 14 days, but you can customize this value.

Session management is crucial for creating within the SSO journey custom login logic based on the session status. For example, if the session is valid, you can add journey steps that show a redirection message and automatically redirect the user to the required app without requiring credentials. If you have MFA enabled, you can add a journey step that only collects user information, such as a username, to implement a lighter login flow without sacrificing security. If the session has expired, the user will be prompted to re-authenticate.

The SSO model supports multiple SSO sessions per browser, as an SSO session correlates with a Clients-Group. This allows a user to authenticate to clients of different groups, each maintaining its own session context.

no
yes
Start SSO login
Has Valid
SSO Session?
Silent
login
Prompt
for login
Complete
Note

The journey step dedicated to detecting user sessions is the SSO session validity step.

Next steps

Sessions can be terminated earlier than the configured expiration delay in the Admin Portal or managed externally. For more details, see the SSO Session Logout API and the guide on Managing SSO from External Services.