You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If an auth service has both disconnect_expired_cert and require_session_mfa enabled, users are consistently kicked out of their sessions after about a minute (across features). The issue is that with per-session mfa we typically issue 1 minute-lived certs per session, which disconnect_expired_cert then identifies as expired and boots the user out.
The proposed solution is that some metadata can be added to the MFA cert that contains the original TTL of the user cert that made the request. New sessions using the MFA cert can still be denied based on the MFA cert TTL, but existing sessions can be closed based on the original TTL of the user cert when disconnected_expired_certs is enabled and the original TTL of the user cert is present. (credit to @dboslee for this proposal).
The text was updated successfully, but these errors were encountered:
If an auth service has both
disconnect_expired_cert
andrequire_session_mfa
enabled, users are consistently kicked out of their sessions after about a minute (across features). The issue is that with per-session mfa we typically issue 1 minute-lived certs per session, whichdisconnect_expired_cert
then identifies as expired and boots the user out.The proposed solution is that some metadata can be added to the MFA cert that contains the original TTL of the user cert that made the request. New sessions using the MFA cert can still be denied based on the MFA cert TTL, but existing sessions can be closed based on the original TTL of the user cert when
disconnected_expired_certs
is enabled and the original TTL of the user cert is present. (credit to @dboslee for this proposal).The text was updated successfully, but these errors were encountered: