Maximum App Session Lifetime SAML Application ("SessionNotOnOrAfter" Attribute)
The SessionNotOnOrAfter attribute is a critical component within a Security Assertion Markup Language (SAML) Assertion, specifically found in the AuthnStatement element. It is used by the Identity Provider (IdP) to communicate the maximum acceptable lifetime of the authenticated session to the Service Provider (SP), thereby defining the session expiration.
Understanding SessionNotOnOrAfter
This attribute specifies the time instant at which the authenticated session, established through the SAML assertion, must be considered invalid and re-authentication is required.
Key Characteristics
IdP-Defined: The value is set by the IdP and reflects the IdP's session policy or the maximum duration it guarantees the assertion's validity.
Session Boundary: It acts as an absolute upper bound for how long the SP should maintain the user's session based on this specific SAML assertion.
Time Format: The value must be an XML Schema date/time type (xs:dateTime), typically expressed in Coordinated Universal Time (UTC) with the 'Z' suffix.
Enforcement: The SP is responsible for respecting this value. Upon expiration, the SP should terminate the user's session and may redirect the user back to the IdP for a fresh authentication.
Relationship with NotOnOrAfter
It is important to distinguish SessionNotOnOrAfter from the assertion-level NotOnOrAfter attribute (found on the <Assertion> element):
Attribute | Scope | Purpose |
NotOnOrAfter (Assertion Level) | Assertion Validity | Defines the time after which the entire SAML Assertion document must not be accepted by the SP. |
SessionNotOnOrAfter (AuthnStatement) | Session Validity | Defines the time after which the user's authenticated session at the SP must be terminated, regardless of whether the assertion itself is still technically valid. |
In practice, SessionNotOnOrAfter is often set equal to or slightly earlier than the Assertion's NotOnOrAfter to ensure session termination occurs within the valid lifespan of the assertion.
Implementation Considerations for Service Providers (SP)
Service Providers must incorporate logic to handle the SessionNotOnOrAfter value:
Extraction: The SP extracts the timestamp from the AuthnStatement upon receiving and validating the SAML assertion.
Session Expiration Setting: The SP uses this timestamp to set the maximum expiration time for the user's application session. If the SP's own internal session timeout is shorter, the SP may use the shorter time. However, the session must not last longer than the SessionNotOnOrAfter time.
Re-authentication: When the session expires due to reaching the SessionNotOnOrAfter time, the SP must require a full re-authentication, typically by initiating a new SAML request.
Example XML Snippet
<saml:Assertion ...>
<saml:Subject>...</saml:Subject>
<saml:Conditions NotBefore="2026-02-27T14:00:00Z" NotOnOrAfter="2026-02-27T15:00:00Z">
...
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2026-02-27T14:00:00Z" SessionIndex="..." SessionNotOnOrAfter="2026-02-27T16:00:00Z">
<saml:AuthnContext>...</saml:AuthnContext>
</saml:AuthnStatement>
...
</saml:Assertion>
In this example, the SP must terminate the user's session at or before 2026-02-27T16:00:00Z. Note that the Assertion itself expires earlier (15:00:00Z), but the session validity could theoretically extend beyond the assertion validity if the IdP chose to set it this way (though this is uncommon and often leads to security concerns). A standard practice is to ensure SessionNotOnOrAfter respects the Assertion's NotOnOrAfter.
Okta SAML session lifetime configuration
Navigate to Applications > select Specific Application > General > SAML Settings > Edit > Next > Show Advanced Settings > Maximum App Session Lifetime.
Select Send value in response.
Enter the desired value.
Save.
Azure Entra ID SAML session lifetime configuration
Navigate to Enterprise Applications > select Specific Application > Security > Conditional access > New Policy > Enable Policy On > Select Session > Enabled Sign-in frequency
Enter the desired value.
Create.
Debug Tools
