User Session and Single Sign-On
In an IDR SSO Agent deployment, a user session controls the length of time that a user's authentication to the application portal and applications can apply to other applications in the portal. The user session enables single sign-on to applications in the portal.
A user session starts when the user successfully authenticates to the application portal and ends after the specified session duration or inactivity timeout has expired or the user signs out of the application portal. You specify the session duration and inactivity timeout in the Cloud Administration Console.
A user session applies to the standard and custom application portals and authentication to all applications within the portal. Also, a user session controls the length of time that a user can use HTTP Federation (HFED) and Trusted Headers applications before being prompted to authenticate again. A user session does not apply to bookmark applications and does not control the length of time that a user can use a SAML-enabled application after authentication.
When a user authenticates to the application portal, the user can access all applications assigned to the Allow All Authenticated Users access policy for the session duration or until the user signs out of the application portal.
Within that session, if the user successfully authenticates to an application that requires additional authentication, then the user can access other applications with the same assurance level or lower as the first application without completing additional authentication.
Within that session, if the user accesses an application with a higher assurance level, the user is prompted for the required additional authentication.
When the user signs out of the application portal or the session duration or inactivity timeout expires, the user must re-authenticate to the application portal.
Example
The session duration is 720 minutes (default). The inactivity timeout is 20 minutes (default). The application portal contains three applications with the following details.
| Application | Details |
|---|---|
| Application A | Additional authentication is not required. |
| Application B | Medium assurance level (SecurID Token or Device Biometrics) |
| Application C | Low assurance level (Approve or Authenticate Tokencode) |
- The user authenticates to the application portal. The session duration of 720 minutes starts.
- The user opens Application A in the portal without additional authentication.
- The user authenticates to Application B using SecurID Token instead of Device Biometrics because his Authenticate device is charging.
- The user accesses Application C in the portal. Because the user has authenticated to Application B (with a higher assurance level) within the same session, RSA opens Application C without prompting the user for additional authentication.
- The user does not use the application portal or protected applications for 25 minutes. The user then tries to access Applications A, B, and C in the portal. Because the 20-minute inactivity timeout has expired, RSA displays the portal sign-in page for the user to re-authenticate.
- The user authenticates to the application portal. The session duration of 720 minutes starts again.
Related Articles
Single sign-on with RSA SecurID Access is failing intermittently Number of Views RSA employee sees a Single Sign-On (SSO) error after logging in to the RSA Community website Number of Views How to SecurID-protect OWA using single sign-on (SSO) when OWA is in a cluster Number of Views Additional screen shots for steps configuring Outlook Web Access (OWA) Single-Sign On (SSO) Number of Views XML Parsing Error when attempting SP-initiated Single Sign-On with RSA SecurID Cloud Authentication Service Number of Views
Trending Articles
RSA Authentication Manager 8.9 Release Notes (January 2026) RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide Downloading RSA Authentication Manager license files or RSA Software token seed records RSA Release Notes for RSA Authentication Manager 8.8 Deploying RSA Authenticator 6.2.2 for Windows Using DISM
