activity-based timeout policy

%3CLINGO-SUB%20id%3D%22lingo-sub-1919161%22%20slang%3D%22en-US%22%3Eactivity-based%20timeout%20policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1919161%22%20slang%3D%22en-US%22%3E%3CP%3E%3CBR%20%2F%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20a%20disconnect%20with%20respect%20to%26nbsp%3B%20%3CSTRONG%3Eactivity-based%20timeout%3C%2FSTRONG%3E%20policy%26nbsp%3B%20and%20its%20usefulness.%3CBR%20%2F%3E%3CSTRONG%3EHow%20come%20AAD%20be%20involved%20in%20the%20idle-time-out%20implementation%20of%20web-app%20session%20%3F%3C%2FSTRONG%3E%3CBR%20%2F%3EShould%20not%20an%20Idle-Timeout%20%26nbsp%3Bcome%20from%20the%20application%20itself%2C%20and%20if%20a%20timeout%20is%20detected%2C%20the%20application%20can%20invalidate%20the%20existing%20token%20(although%20it%E2%80%99s%20lifetime%20may%20still%20be%20valid)%20and%20redirect%20the%20user%20back%20to%20AAD.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20if%20I%20have%20set%20activity-based%20timeout%20%26nbsp%3Bfor%20one%20web-app%20(for%20eg.%2C%20portal.azure.com)%26nbsp%3B%20as%202%20hours.%3CBR%20%2F%3EWhen%20AAD%20sends%20the%20SAML%2FID-token%20to%20the%20app%2C%26nbsp%3B%20would%26nbsp%3B%20AAD%20sends%20out%20this%20activity-based%20timeout%26nbsp%3B%20information%20so%20that%20if%20application%20supports%20it%20%2C%20it%20can%20notify%20the%20user%20if%20user%20is%20staring%20the%20app-screen%20for%202%20hours.%26nbsp%3B%3CSTRONG%3E%20%26nbsp%3BIf%20user%20does%20not%20do%20any%20activity%20on%20the%20app%2C%20the%26nbsp%3B%20Java-script%20of%20the%20app%20will%20send%20out%20the%20sign-out%20request%20to%20AAD%20to%20sign%20the%20user%20out.%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAm%20I%20correct%20in%20my%20understanding%20%3F%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EThanks.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1919161%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAccess%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Contributor


Hello,

 

I have a disconnect with respect to  activity-based timeout policy  and its usefulness.
How come AAD be involved in the idle-time-out implementation of web-app session ?
Should not an Idle-Timeout  come from the application itself, and if a timeout is detected, the application can invalidate the existing token (although it’s lifetime may still be valid) and redirect the user back to AAD.

 

So if I have set activity-based timeout  for one web-app (for eg., portal.azure.com)  as 2 hours.
When AAD sends the SAML/ID-token to the app,  would  AAD sends out this activity-based timeout  information so that if application supports it , it can notify the user if user is staring the app-screen for 2 hours.   If user does not do any activity on the app, the  Java-script of the app will send out the sign-out request to AAD to sign the user out.

 

Am I correct in my understanding ?

Thanks.

 

 

0 Replies