Customize user session options

This topic describes the options available in the Admin Portal to customize a user session.


A session is defined as the period of time during which CyberArk Identity accepts a new log in from the same browser without the user re-entering their credentials. CyberArk Identity administrators can customize the following user session options in the CyberArk Identity Authentication Policies:

Session options Description

Session Length

The length of time before a session expires. The default is 12 hours. For example, if the session length is 1 hour and the user logs in and then closes the browser, that user has 1 hour to access the User Portal (from the same browser and machine) without the need to enter credentials.

Maximum hours a user can stay signed in

You can give users the option to stay signed in and define the maximum hours that they can stay signed in. By default, users do not have the option to stay signed in.

Restrict the number of concurrent sessions

To comply with FedRAMP requirements and enhance security, you can restrict the number of concurrent user sessions to CyberArk Identity from 1 to 10 concurrent sessions. For example, if concurrent sessions are limited to two, a user can access their CyberArk Identity account on a laptop and a mobile device. However, the user is not able to use their account in a third browser instance until one of the active sessions is terminated. If CyberArk Identity is not in control of the login portion of an SP-initiated App launch, then the session is not counted as a concurrent session.

A new session is added to the session count when using the Web App > Policy option, Bypass Login MFA when launching this app, to launch an application without requiring User Portal authentication. This means that each app launch that uses this policy setting is counted as a separate session against the session limit.

The default setting, Unlimited, does not restrict the number the of sessions allowed.

Administrators can also end all sessions for a user. Refer to End all sessions for a specified user for more information.

The following table details what counts as a session in CyberArk Identity:

Login type

Counts as a session


Federation (IdP)


App Launch


App Launch with the Policy option,
Bypass Login MFA when launching this app, enabled

Zero Sign On (ZSO) No

OTP (One-time passcode, such as those used with an email link)


OATH2 Token

Cookies No

Integrated Windows Authentication (IWA)





To make changes to Authentication Policies, verify that you are an Admin user in the System Administrator Role.

Configure user session policy options

The following procedures describe how to make changes to session parameters in the Admin Portal> Core Services > Policies > Authentication Policies > CyberArk Identity > Session Parameters.

End all sessions for a specified user

You can right-click the name of a user on the Users page or select the Actions menu on the account details page to end all sessions for a specific user.

To end all user sessions

  1. Log in to Admin Portal
  2. Click Core Services > Users select a user and then click Actions.

    You can also right-click the name of the user on the Users page to display the Actions menu.

  3. From the drop-down menu, click Sign out Everywhere.
  4. Click OK to confirm and sign the user out of all active sessions.