# HarvardKey Integration Services - Session Timeouts ## expand\_more This guide provides session timeout options for application teams integrating their application with HarvardKey. Session timeout parameters determine when a user will be required to re-authenticate with HarvardKey. For every application integrated with HarvardKey where Single Logout (SLO) is activated, HarvardKey configures SSO session timeout to ensure greater security. Additionally, an application that incorporates Single Logout (SLO) may have its own application session timeout. The two work independently. There are both application and HarvardKey single sign-on session timeout parameters that determine when a user will be required to authenticate: 1. **Application session timeout** 2. **SSO session timeout** 1. Global hard-timeout 2. Global sliding timeout 3. Forced Authentication ## **Application Session Timeout** The application session timeout is the session configuration configured separately by the application. If it is set, the application (app) session timeout takes precedence over HarvardKey’s single sign-on (SSO) timeout configurations (A, B, C) as long as it is shorter than the corresponding maximum SSO timeout. Assuming the app (CAS client or SAML SP) handles SSO correctly, when a user accesses an app, the app checks if the user has a valid session established. If the user has a valid session, the user is allowed to access the application without being prompted to log in / re-enter credentials. If there is no valid session, the app redirects the user to HarvardKey for authentication/authorization. Until the app session timeout is reached, the user will never be redirected to HarvardKey for a login. **Example** If the app session timeout is 4 hours and a user logged into the app at 12:00 PM and interacts with the app again at 3:59 PM, their app session is still valid, so no login is required (the app does not redirect the user to HarvardKey to reauthenticate). Since the user interacted with the app prior to the app session timing out, the timer resets, granting them another 4 hours to use the app before any re-login is required. ## **HarvardKey Session Timeout** HarvardKey automatically configures two single-sign on (SSO) Session Timeout Parameters for every application: global hard-timeout and global sliding window timeout. If you do not wish to make use of SSO timeout, you may request a third option on the [HarvardKey Application Integration form ](/resource/harvardkey-application-integration-form "HarvardKey Application Integration Form")called forced authentication. A description of each parameter can be found below. ### A. Global hard-timeout This is a fixed time window of 8 hours and is a global setting for all HarvardKey-protected apps. After 8 hours, a user will be required to login again whether they are actively using an app or not. ### B. Global sliding window timeout (idle session timeout) This is a sliding window of 2 hours and is also a global setting for all HarvardKey-protected apps. If a user does not use an SSO app for two consecutive hours, they will be required to re-authenticate. If the user uses an SSO app within two hours, the time will reset to a new 2-hour window up to the time when the 8-hour hard-timeout (B. above) is reached. That means if the user first login at 12:00 PM, if the user keeps using SSO apps, the sliding window would allow the user session to remain active until 8:00 PM. There is no way it can be extended beyond 8:00PM without another login. ### C. Forced Authentication Forced authentication requires users to authenticate each time they access your application. To request forced authentication, select the SSO Restrictive Security Setting on the Application Integration Form. ## **Considerations: Sessions Within and Across Browsers** - HarvardKey sessions do not cross browsers. In other words, an active session in Firefox would not be active if a user opens a second browser (e.g., Safari). - If more than one HarvardKey-protected app is opened in different tabs of the same browser, those apps will share the same SSO session and any app login and logout will affect other apps’ SSO experiences. - Some browsers also grant the ability to isolate sessions with features such as “private mode,” “incognito,” or sandboxed session containers. ## **Logout Redirection** We recommend that applications provide a prominently placed link that allows users to log out of both the application and HarvardKey. The ability to support HarvardKey logout needs to be configured at the time an application is registered with HarvardKey. Please see our article on [Single Logout with HarvardKey](https://iam.harvard.edu/slo) for more information. ## **Recommendation: Session Configuration** We recommend that application owners do the following regarding session timeouts: - Configure your application session timeout to not exceed 8 hours, to align with the 8-hour global SSO session timeout for HarvardKey. - Provide a HarvardKey logout page link or button in a prominent location in your application (or incorporate a callback to the HarvardKey logout page when implementing a link to your own local logout function) to encourage users to log out when finished. ## **Related Resources** - [Selecting an Authentication Protocol](/selecting-harvardkey-authentication-protocol "Selecting a HarvardKey Authentication Protocol ")