System Properties related to Authentication Sessions, Cookies, and Login Durations
|Property Name||Description||Default||Value type||Value unit||Since version||Restart required?||Comment|
|auth.lifetime||User authentication duration (time before timeout) in minutes.||30||int||minutes||6.0||No|
default 30 min
Jive Cloud sites will have this set to 720 min
Controls how long users stay logged in when they click "Remember Me" when logging in.
|1209600||int||seconds||Yes||default 14 days|
|login.rememberme.disabled||Hide the "remember me" checkbox in login screen.||false||bool||n/a||No|
|jive.cookies.secure||Sets the 'secure' attribute for cookies set by Jive.||false||bool||n/a||Yes|
|saml.maxAuthenticationAge||SAML SSO - Identifies the maximum session time that's set for the IdP. To avoid login failures, you need to set this to match the maximum session set on the IdP||28800||int||seconds||Yes||default 8 hours|
Can these settings be changed in Jive Cloud?
No. System properties like these cannot be changed in Jive Cloud sites.
How long am I logged in if I don't click "Remember Me"?
If a user logs in without clicking the "Remember Me" then their logged in session will only last for however long their browser is open. The cookies created to track their session will only last for the duration of the browser being open.
There is a timeout session value that will log out users who are inactive after a certain period of time. This is auth.lifetime and by default this is set to 30 minutes.
By default, Jive passes a token that persists the user session for 30 minutes from the last request. If you have a specific need to modify this limit (for example, if you need to make your Jive session timeout match the timeout of your identity provider when configuring SSO), you can use theauth.lifetime system property to set a new session timeout period in minutes. Keep in mind that increasing session duration increases security risks such as session hijacking and unattended workstation tampering. You should consult your organization's security team before you modify this value.
How long am I logged in if I click "Remember Me"?
If the "Remember Me" is checked on login, then the cookie is set to live for 14 days.
This can be adjusted with the following system property:
Controls the time in seconds for the Remember Me tick box. Default is 2 weeks = 1209600, 1 day = 86400. Changing this requires an application restart. For the user it takes effect after that with a browser restart. **Note: the Remember Me functionality will keep a user logged in as long as the token is valid and the user does not logout; this setting will not auto-populate the login form data.
What do I use if I am using SSO?
It is common for customers to adjust the auth.lifetime system property to match the timeout value for the SSO system.
Please note, if a user's Jive session expires while they are still authenticated through their SSO system, then instead of being asked to log in again, they will seamlessly be logged back in. This means that the auth.lifetime value adjustment isn't absolutely required, but it may resolve some issues if you are seeing problems with your SSO users being logged out early.
Here is a complete breakdown of what happens when a user authentications into Jive when they are using SAML SSO:
When using Jive with SAML SSO, there are two separate authentication contexts that affect whether you're logged in or not:
- The Jive Authentication Context
- Your SSO Session with your IdP.
These contexts are independent of one another. The IdP SSO session is what's used to authenticate users to Jive, whereas the Jive Authentication Context is what actually determines whether or not the user is logged in to the Jive web application. By default, Cloud sites are supposed to have an authentication context lifetime of 12 hours.
This is what's happening when a user logs in to Jive using SAML SSO:
- You go to Jive and log in, which redirects you to your IdP
- If you don't have a valid SSO session, then you must provide credentials in your IdP system. The IdP then redirects you back to Jive with a valid assertion
- If you do have a valid SSO session, the IdP immediately redirects you back to Jive with a valid assertion
- Assuming Jive receives the valid assertion, you're automatically authenticated into Jive at this point and logged in.
- This creates your Jive Authentication Context (based on auth.lifetime system property)
- Troubleshooting tip: This assertion can fail if the server time on the Jive instance does not match your SAML SSO IdP server time. Increase your Response Skew if you suspect this is the case.
- After 30 minutes of inactivity (by default), Jive destroys your authentication context
- This is expected, and a built in security implementation
- If you refresh or navigate to another page at this point, assuming you still have a valid SSO session with your IdP, you will be re-authenticated with Jive. If you do not have a valid SSO session, you will need to provide credentials in your IdP once more.
- This step is essentially the beginning of the outlined process
- Please note, if you have lost your Jive Authentication while on a page, and you have not yet loaded another page, you may see a red bar error. Simply refresh the page to resolve this.