Customize user session options

This topic describes the options available in the Identity Administration portal to customize a user session.

Overview

A session is defined as the period of time during which CyberArk Identity accepts a new log in from the same browser without the user re-entering their credentials. CyberArk Identity administrators can customize the following user session options in CyberArk Identity Authentication Policies:

Descriptions of session options
Session options Description

Session Length

The length of time before a session expires. The default is 12 hours. For example, if the session length is one hour and the user signs in and then closes the browser tab, that user has one hour to access the User Portal (from the same browser and machine) without the need to enter credentials.

If the user is restricted to one concurrent session and closes the browser (not just the tab), the user can't access the tenant until the session expires, or you sign them out. See End all sessions for a specified user for more information.

Maximum hours a user can stay signed in

You can give users the option to stay signed in and define the maximum hours that they can stay signed in. By default, users don't have the option to stay signed in.

Restrict the number of concurrent sessions

To comply with FedRAMP requirements and enhance security, you can restrict the number of concurrent user sessions to CyberArk Identity from one to 10 concurrent sessions. For example, if concurrent sessions are limited to two, a user can access their CyberArk Identity account on a laptop and a mobile device. However, the user is not able to use their account in a third browser instance until one of the active sessions is terminated. If CyberArk Identity is not in control of the login portion of an SP-initiated App launch, then the session is not counted as a concurrent session.

A new session is added to the session count when using the Web App > Policy option, Bypass Login MFA when launching this app, to launch an application without requiring User Portal authentication. This means that each app launch that uses this policy setting is counted as a separate session against the session limit.

If the user is restricted to one concurrent session and closes the browser (not just the tab), the user can't access the tenant until the session expires, or you sign them out. See End all sessions for a specified user for more information.

The default setting, Unlimited, doesn't restrict the number the of sessions allowed.

Administrators can also end all sessions for a user. Refer to End all sessions for a specified user for more information.

The following table details what counts as a session in CyberArk Identity:

Sign in types that count as sessions
Sign in type

Counts as a session

MFA

Yes

Federation (IdP)

Yes (For the federated tenant)

App Launch

No

App Launch with the Policy option,
Bypass Login MFA when launching this app, enabled

Yes

Zero Sign On (ZSO)

No

OTP (One-time passcode, such as those used with an email link)

No

OATH2 Token

No

Cookies

No

Integrated Windows Authentication (IWA)

No

SAML

No

Prerequisites

To make changes to Authentication Policies, verify that you are an Admin user in the System Administrator Role.

Configure user session policy options

The following procedures describe how to make changes to session parameters in the Identity Administration portal> Core Services > Policies > Authentication Policies > CyberArk Identity > Session Parameters.

  1. Log in to the Identity Administration portal
  2. Click Core Services > Policies and select the policy you want to edit or click Add Policy Set to create a new one.
  3. Click Authentication Policies > CyberArk Identity.
  4. Select Yes in the Enable authentication policy controls drop-down.
  5. Scroll to Session Parameters and enter the number of hours for the session length in the Hours until session expires text box.
  6. Click Save.
  1. Log in to the Identity Administration portal.
  2. Click Core Services > Policies and select the policy you want to edit or click Add Policy Set to create a new one.
  3. Click Authentication Policies > CyberArk Identity.
  4. Select Yes in the Enable authentication policy controls drop-down.
  5. Scroll to Session Parameters and configure the relevant Keep me Signed In options.
    • Select the Allow “Keep me signed in” checkbox option at log in option if you want users to see the “Keep me signed in” option when they log in to CyberArk Identity.
    • Select the Default “Keep me signed in” checkbox option to enabled option if you want the “Keep me signed in” checkbox enabled by default for users.
    • In the associated text box, enter the maximum number of hours users can stay signed in.

  6. Click Save.

  1. Log in to the Identity Administration portal.
  2. Click Core Services > Policies and select the policy you want to edit or click Add Policy Set to create a new one.
  3. Click Authentication Policies > CyberArk Identity.
  4. Select Yes in the Enable authentication policy controls drop-down.
  5. Scroll to Session Parameters and select the maximum number of allowed concurrent sessions (Unlimited, or 1-10) from the drop-down menu.

  6. Click Save.

End all sessions for a specified user

You can right-click the name of a user on the Users page or select the Actions menu on the account details page to end all sessions for a specific user.

To end all user sessions

  1. Log in to Identity Administration portal

  2. Click Core Services > Users select a user and then click Actions.

    You can also right-click the name of the user on the Users page to display the Actions menu.

  3. From the drop-down menu, click Sign out Everywhere.
  4. Click OK to confirm and sign the user out of all active sessions.