SSO Session Expiry & Forced Re-authentication
SSO Session Expiry & Forced Re-authentication
Available from: v1.0.80
Overview
Starting in v1.0.80, the platform enforces session expiry in alignment with the token lifetime issued by an organization's SSO provider. When a session expires, learners are required to re-authenticate through their identity provider before they can access any course content.
This ensures that access controls defined in the identity provider (IdP) are consistently respected across the platform — a session on this platform cannot outlive the SSO token that created it.
How It Works
1. Session Lifetime Is Derived from the SSO Token
When a learner authenticates via SSO, the platform records the token lifetime provided by the identity provider. The platform session is bound to this lifetime — it will not remain valid beyond the point at which the upstream SSO token expires.
2. Expired Sessions Are Blocked
When a learner with an expired session attempts to access course content, the platform:
- Detects that the session has expired relative to the SSO token lifetime.
- Denies access to the requested content.
- Redirects the learner to their organization's identity provider to re-authenticate.
There is no grace period or silent session extension.
3. Fresh Session Is Established on Re-authentication
After the learner successfully re-authenticates with the identity provider, a new platform session is created with a fresh expiry tied to the new SSO token. The learner is then returned to the platform with full access restored.
Behaviour Summary
| Scenario | Behaviour |
|---|---|
| Active session within token lifetime | Access granted, no interruption |
| Session expired (SSO token elapsed) | Access denied, redirected to IdP for re-authentication |
| Successful re-authentication | New session created, access restored |
| Re-authentication fails or is denied by IdP | Access remains blocked |
Administrator Notes
- No configuration required. Session expiry is automatically derived from the SSO token lifetime returned by the identity provider during authentication.
- If your organization requires a shorter effective session lifetime, this should be configured at the identity provider level. The platform will honour whatever lifetime the IdP issues.
- This behaviour applies to all organizations using SSO-based access control.
Learner Experience
Learners will see a re-authentication prompt when their session expires. This is expected behaviour and does not indicate an error. They should log in via their usual organizational credentials (SSO) to continue.
Security Considerations
Prior to v1.0.80, platform sessions could persist beyond the lifetime of the originating SSO token. This meant a learner whose access had been revoked at the identity provider level might retain access to course content until their platform session was manually invalidated.
With v1.0.80, the platform session lifecycle is tightly coupled to the SSO token lifetime, ensuring that any access revocation or expiry enforced by the identity provider is immediately reflected on the platform.