Okta Session : How to Set Maximum Session Timeout using APIs

Quite often, an application developer would need a maximum time after which a session should be destroyed irrespective of activity. This is also called the Maximum Session Timeout.

Okta is a popular cloud based Identity and Access Management Platform used as an Identity Provider enabling secure and seamless access to all applications via any device.

As of today, there’s NO setting in the Okta UI to set Maximum Session Time. 

The Session Lifetime setting in the Okta GUI is for Maximum Idle Session Time.

However, there’s an option to do this via APIs using SignOn Policy APIs. 

We can create Policies via APIs or from GUI .. Admin -> Security -> Authentication -> SignOn Policies-> Create Policy -> Create Rules and then update the maxSessionTimeoutInMinutes using API calls as shown in the screenshot.

If you are unaware of how to get started with Okta APIs and/or to setup Postman, please check this link.

Flavors of Mobile Security/SSO for Mobile Web Apps, Native/Hybrid Apps, MAM & MDM

I recently came across quite a few customer use cases which require mobile security/Single-Sign-On (SSO). While it may sound generic, there's a lot more to it.

This post intends to provide some clarity around the various security use cases for mobile apps possible & the high level solution approach using Oracle IDM -

1) Security for Mobile Web Applications (Invoked from a mobile browser)

This is no different from invoking a web application on a desktop or a laptop. Would use Oracle Access Manager(OAM) based SSO alongwith OHS+Webgate.

2) Security for Native/Hybrid mobile applications on personal devices 

(Leveraging existing IDM Platform)

This can be achieved using OAM Mobile & Social Services (OAMMS) which has support for Android and iOS platforms. For other platforms (like Windows) OAM Mobile OAuth Services (along with REST calls) within OAM can be leveraged. Mobile applications implemented using REST and supporting OAuth  makes mobile app security technology agnostic (similar to what SAML does to federation).

Image Courtesy : Oracle PM Team Blog

3) Security for Native/Hybrid mobile applications on corporate owned devices 

(MDM or Mobile Device Management)

This feature is currently not available in the Oracle IDM World, but would be available in Oracle Mobile Security Suite (OMSS) in the upcoming 11gR2 PS3 (11.1.2.3).

4) Security for Native/Hybrid mobile applications on personal devices (BYOD concept) 

(MAM or Mobile Application Management)

This can be implemented using OMSS. The concept uses a Secure Mobile Workspace within the personal device which silos all corporate communications using an App Tunnel. The concept is explained in detailed at my blog on OMSS here.

Image Courtesy : Oracle Document