cloudflare-docs icon indicating copy to clipboard operation
cloudflare-docs copied to clipboard

Published 20 hours ago verified publisher icon cloudflare

Session Management docs are stale?

Open hwinkler opened this issue 1 year ago • 4 comments

Which Cloudflare product does this pertain to?

Zero Trust

Existing documentation URL(s)

https://developers.cloudflare.com/cloudflare-one/identity/users/session-management/

What changes are you suggesting?

https://developers.cloudflare.com/cloudflare-one/identity/users/session-management/#set-global-session-duration and https://developers.cloudflare.com/cloudflare-one/identity/users/session-management/#set-policy-session-duration describe maybe some old version of the app?

Additional information

No response

hwinkler avatar Feb 04 '24 02:02 hwinkler

anyway I can't find how to do those two things.

hwinkler avatar Feb 04 '24 02:02 hwinkler

Hi @hwinkler, as far as I can tell, the menu items have not changed location. Which step are you getting stuck on?

ranbel avatar Feb 06 '24 19:02 ranbel

ok well the first of those two links, I got wrong. The correct links are:

https://developers.cloudflare.com/cloudflare-one/identity/users/session-management/#set-application-session-duration and https://developers.cloudflare.com/cloudflare-one/identity/users/session-management/#set-policy-session-duration

The first link says

Set application session duration

_You can set an application session duration ranging from immediate timeout to 1 month. The default is 24 hours.

In [Zero Trust](https://one.dash.cloudflare.com/) , go to Access > Applications.
Locate the application you want to configure and select Edit.
In the Overview tab, select a Session Duration from the dropdown menu._

The application token will expire after this period of time (unless you have set a policy session duration).

Here's a screenshot of Access/Applications: image

I see "Configure" as a menu choice, not "Edit".

Clicking Configure takes me to:

image

There is no "Session Duration" setting on this screen.

I won't go through this yet for the second link, because its arduous obfuscating the screenshots. But the description in the docs is similarly wrong.

Am I missing something?

hwinkler avatar Feb 06 '24 20:02 hwinkler

Unfortunately the app/policy session duration setting only works for Self-hosted apps, not SaaS apps. You can technically set it via the API, but it may not do what you expect. Access session duration only controls the front door to the SaaS app; it doesn't control how long the user can stay in the SaaS app itself. For example, if the user logs out of the SaaS app and then comes back to it, Access would re-authenticate them without another login. Access only sends a SAML or OIDC response to the SaaS app, and the SaaS app will issue its own authorization cookie. You'll need to refer to the SaaS app documentation to configure session management within the app.

I've opened an internal ticket to add a note about this to the docs.

ranbel avatar Feb 06 '24 21:02 ranbel

Addressed in #14571

ranbel avatar May 21 '24 17:05 ranbel