cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
grburgos
New Member

Logout user for inactivity

Jump to solution

Is there a way to force log out a user who has been inactive on Canvas for over 20 min. when Canvas is configured using AD as authentication?

I understand there is plugin that can perform this task but it would only work if Canvas handles the authentication. SSO based authentications would not work.

Labels (1)
0 Kudos
1 Solution
cstrikwerda
Instructure
Instructure

Hello grburgos, thanks for posting in the Community!

Looking into your question, I am seeing some information regarding an automatic logout:

A common feature of user authentication is an automatic logout. That's done through an expiry claim on the JSON web token (https://tools.ietf.org/html/rfc7519#section-4.1.4). A token that expires has a field "exp" that specifies the date at which it should no longer be processed.

I looked into your authentication and it looks like you are using Microsoft SAML. I looked into that Microsoft SAML token and I am seeing there is a field 'Token Lifetime' which we can specify an 'exp' which defines the time interval within which a token is valid. From Microsoft Azure this is the field we would need to look at updating to that twenty minute time interval after being created. https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-saml-tokens

I looked into this a little bit further and was seeing some documentation regarding configurable token lifetimes in Microsoft Azure: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-...

Underneath the SAML paragraph in that document: 'The default lifetime of the token is 1 hour. 
The value of NotOnOrAfter can be changed using the AccessTokenLifetime parameter in a TokenLifetimePolicy. It will be set to the lifetime configured in the policy if any, plus a clock skew factor of five minutes.' This would be the same for default Canvas SAML tokens.


As far as a plugin that can update that automatic logout time. There is a plugin in development that can be used to automatically log users out. This is to be used when a schools authentication provider is not able to log users out of the mobile app specifically.

Because this is a feature that we need to turn on in your instance, I would suggest reaching out to your Customer Success Manager about this as they would be the best to help implement this.


View solution in original post

1 Reply
cstrikwerda
Instructure
Instructure

Hello grburgos, thanks for posting in the Community!

Looking into your question, I am seeing some information regarding an automatic logout:

A common feature of user authentication is an automatic logout. That's done through an expiry claim on the JSON web token (https://tools.ietf.org/html/rfc7519#section-4.1.4). A token that expires has a field "exp" that specifies the date at which it should no longer be processed.

I looked into your authentication and it looks like you are using Microsoft SAML. I looked into that Microsoft SAML token and I am seeing there is a field 'Token Lifetime' which we can specify an 'exp' which defines the time interval within which a token is valid. From Microsoft Azure this is the field we would need to look at updating to that twenty minute time interval after being created. https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-saml-tokens

I looked into this a little bit further and was seeing some documentation regarding configurable token lifetimes in Microsoft Azure: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-...

Underneath the SAML paragraph in that document: 'The default lifetime of the token is 1 hour. 
The value of NotOnOrAfter can be changed using the AccessTokenLifetime parameter in a TokenLifetimePolicy. It will be set to the lifetime configured in the policy if any, plus a clock skew factor of five minutes.' This would be the same for default Canvas SAML tokens.


As far as a plugin that can update that automatic logout time. There is a plugin in development that can be used to automatically log users out. This is to be used when a schools authentication provider is not able to log users out of the mobile app specifically.

Because this is a feature that we need to turn on in your instance, I would suggest reaching out to your Customer Success Manager about this as they would be the best to help implement this.