HOME / GET STARTED / HARVARDKEY APPLICATION INTEGRATION / GUIDES /

HarvardKey Integration Services - Session Timeouts

This guide provides session timeout options for application teams integrating their application with HarvardKey.

Session timeout parameters determine when a user will be required to re-authenticate with HarvardKey. For every application integrated with HarvardKey where Single Logout (SLO) is activated, HarvardKey configures SSO session timeout to ensure greater security. Additionally, an application that incorporates Single Logout (SLO) may have its own application session timeout. The two work independently. 

There is one application session timeout parameter and three HarvardKey single sign-on (CAS) session timeout parameters that determine when a user will be required to authenticate:

  • Application session timeout 
  • SSO session timeout
    • A. CAS global hard-timeout 
    • B. CAS global sliding timeout
    • C. Forced Authentication


Application Session Timeout

The application session timeout is the session configuration configured separately by the application. If it is set, the application (app) session timeout takes precedence over HarvardKey’s single sign-on (SSO) timeout configurations (A, B, C) as long as it is shorter than the corresponding maximum SSO timeout. Assuming the app (CAS client or SAML SP) handles SSO correctly, when a user accesses an app, the app checks if the user has a valid session established. If the user has a valid session, the user is allowed to access the application without being prompted to log in / re-enter credentials. If there is no valid session, the app redirects the user to HarvardKey for authentication/authorization. Until the app session timeout is reached, the user will never be redirected to HarvardKey for a login. 


Example
If the app session timeout is 4 hours and a user logged into the app at 12:00 PM and did not interact with the app until 3:59 PM, their app session is still valid, so no login is required (the app does not redirect the user to HarvardKey to reauthenticate). Since the user interacted with the app prior to the app session timing out, the timer resets, granting them another 4 hours to use the app before any re-login is required.

 

Single Sign-on (CAS) Session Timeout 

HarvardKey automatically configures two single-sign on (SSO) Session Timeout Parameters for every application: CAS global hard-timeout and CAS global sliding window timeout. If you do not wish to make use of SSO timeout, you may request a third option on the HarvardKey Integration Registration form called forced authentication. A description of each parameter can be found below. 

 

A. CAS global hard-timeout

This is a fixed time window of 8 hours and is a global setting for all HarvardKey-protected apps that support SLO. After 8 hours, a user will be required to login again whether they are actively using an app or not.
 

B. CAS global sliding window timeout (idle session timeout)

This is a sliding window of 2 hours and is also a global setting for all HarvardKey-protected apps. If a user does not use an SSO app for two consecutive hours, they will be required to re-authenticate. If the user uses an SSO app within two hours, the time will reset to a new 2-hour window up to the time when the 8-hour hard-timeout (B. above) is reached. That means if the user first login at 12:00 PM, if the user keeps using SSO apps, the sliding window would allow the user session to remain active until 8:00 PM. There is no way it can be extended beyond 8:00PM without another login. 

C. Forced Authentication

Forced authentication requires users to authenticate each time they access your application. 


Considerations: Sessions Within and Across Browsers

HarvardKey sessions / SSO does not cross browsers.  In other words, an active session in FireFox would not be active when you open a second browser (e.g., Safari).
If more than one HarvardKey-protected app is opened in different tabs of the same browser, those apps will share the same SSO session and any app login and logout will affect other apps’ SSO experiences.
Some browsers also grant the ability to isolate sessions with features such as “private mode,” “incognito,” or sandboxed session containers.

 

Logout Redirection

The HarvardKey logout URL is https://key.harvard.edu/logout.

We recommend that you provide a prominently placed link within your application that will allow users to log out of HarvardKey. This logout URL ends a user's automatic login session — in effect, logging a user out of the entire Harvard authentication system.

We strongly suggest that you provide a logout page link or button in a prominent location in your application (or incorporate a callback to the HarvardKey logout page when implementing a link to your own local logout function) to remind users of the need to log out when finished. Or, if it is important for your application to emphasize the difference between an application-only and Harvard-wide logout, you may wish to provide separate links for logging out of the application and logging out of HarvardKey as a whole.

 

Recommendation: Session Configuration

We recommend that application owners do the following regarding session timeouts: 

  • Configure your application session timeout to not exceed 8 hours, to align with the 8-hour global SSO session timeout for HarvardKey.
  • Provide a HarvardKey logout page link or button in a prominent location in your application (or incorporate a callback to the HarvardKey logout page when implementing a link to your own local logout function) to encourage users to log out when finished. 

Related Resources