You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hello everyone! I have set up an ActiveDirectoryIdentityProvider. After a while (about 8 hours), the user is prompted to re-enter their login and password. How can I increase this interval? I couldn't find anything related to this in the documentation or CSR.
What else is there to know about this bug?
The text was updated successfully, but these errors were encountered:
Hi @hatsnal, the maximum length of a user's session length is not configurable at this time.
For OIDCIdentityProvider, you can decrease the length of your users' sessions by changing the lifetime of the refresh tokens that are returned from your OIDC identity provider in its settings for the client that you created for the Pinniped Supervisor to use. But you cannot increase the hardcoded session maximum length of 9 hours at this time. Also, the Supervisor will perform frequent refreshes with the OIDC identity provider for active users during their session, and if the refresh fails then the user's Supervisor session ends immediately E.g. if the user's account was locked. Group memberships can also be updated during these refreshes. GitHubIdentityProvider works in a similar way.
For LDAPIdentityProvider and ActiveDirectoryIdentity provider, since there is no concept of a "session" in the LDAP server, the maximum session length always applies and currently cannot be shortened or extended. Also, the Supervisor will perform frequent refreshes during an active user's session with the LDAP or AD server to check if the user's account has been locked, removed, etc., which will cause the user's Supervisor session to end immediately. Group memberships can also be updated during these refreshes.
Note that a user can avoid the username and password prompts by setting their username and password into environment variables. This can be useful for long-running jobs or CI scripts, for example. This will skip the prompts and automatically re-authenticate the user after their session has expired. See https://pinniped.dev/docs/howto/cicd/ for more information about that.
Were you hoping to make the user sessions shorter or longer? We would be interested to learn more about your use case. It would be possible to make the max session length configurable, but we haven't implemented such a feature yet.
What happened?
What else is there to know about this bug?
The text was updated successfully, but these errors were encountered: