Okta Session Length Policy Compliance

Detects if any of your active Okta authentication policies do not have a maximum session lifetime value OR if the session idle expiration value is greater than 120 minutes.

Okta authentication policies should have a maximum session length configured to prevent extremely long sessions without re-authentication. Similarly, the session idle time should be set to an appropriate value for your organizational policies.

Enforcing session timeouts for idle and maximum session lifetime is an important security control for mitigating attacks such as session hijacking.

Recommended Actions

Validate your Okta authentication policy settings.

We recommend setting "Maximum Okta session lifetime" to 16 hours (one working day) and "Expire session after user has been idle on Okta for" to 2 hours.

Note - in Okta Identity Engine deployments, the Maximum Okta global session lifetime setting has moved to the Global Security Policy section and is configured within the policy rules. See this article.

Configure this insight session idle value to match your Okta session policies.

Default Check Settings

Session expiration timeframe (min): 120

Compatibility

Okta

Last updated