Latest Posts

Setting up inactivity timeout with Azure AD B2C

Posted on by Rishan Solutions

Loading

Setting up an inactivity timeout with Azure AD B2C involves configuring session policies to enforce timeouts when users are inactive for a specified period. This ensures that users are logged out automatically after a certain amount of idle time, providing an additional layer of security.

Here’s how you can set up inactivity timeout for Azure AD B2C:

Steps to Configure Inactivity Timeout:

1. Configure Session Timeout in Azure AD B2C Custom Policies

You can define session timeouts within Azure AD B2C custom policies by modifying the TrustFrameworkExtensions.xml file (or relevant policy file if you’re using custom policies).

Key Settings:

  • SessionTimeout: The maximum duration for a user’s session.
  • IdleTimeout: The maximum duration of inactivity before the session expires.

For example, you can add these settings to your TrustFrameworkExtensions.xml file:

<TrustFrameworkPolicy xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06">
  <OrchestrationStep Order="1" Type="ClaimsExchange">
    ...
    <Metadata>
      <Item Key="SessionTimeout">3600</Item> <!-- Session timeout in seconds (3600 seconds = 1 hour) -->
      <Item Key="IdleTimeout">600</Item>    <!-- Idle timeout in seconds (600 seconds = 10 minutes) -->
    </Metadata>
    ...
  </OrchestrationStep>
</TrustFrameworkPolicy>

This configuration will ensure that the session expires after 1 hour and will automatically log out users after 10 minutes of inactivity.

2. Use Azure AD B2C Session Management Features

Azure AD B2C provides the option to configure session management directly in the portal, though it is more common to handle this using custom policies. However, the session duration settings can be configured through:

  1. Access Token Lifetime: This determines how long the access token is valid.
    • Navigate to Azure AD B2C > User Flows or Custom Policies.
    • Under Access Token Lifetime, you can set the token’s expiration time.
  2. Refresh Token Lifetime: Refresh tokens allow users to continue their sessions without having to log in repeatedly, and the lifetime of these tokens can be adjusted.
    • This setting is usually configured under the Token Lifetime settings in Azure AD.
    Set-AzureADPolicy -Id <policy-id> -AccessTokenLifetime <time-period> -RefreshTokenLifetime <time-period>

3. Configuring Session Timeout with Web App (Frontend)

To handle session expiry on the frontend and ensure that users are logged out after inactivity, you can also implement session timeout behavior in your web application.

  1. JavaScript-based Inactivity Timeout: You can track user activity using JavaScript on the client side. Here’s an example that triggers a logout after 10 minutes of inactivity:
    let idleTime = 0; window.onload = resetTimer; window.onmousemove = resetTimer; window.onkeypress = resetTimer; function resetTimer() { idleTime = 0; } setInterval(function() { idleTime++; if (idleTime > 10) { // 10 minutes alert('You have been idle for too long. Logging you out.'); window.location.href = '/logout'; // Redirect to logout page } }, 60000); // Check every minute
  2. Handling Session Timeout with Azure AD B2C Frontend:
    • On the frontend, once the session is expired or the token has been invalidated (e.g., after idle time), the user can be redirected to the login page or shown a session expiration message.

4. Implementing Idle Timeout in Azure AD B2C with Web Application (Optional)

If you are integrating your Azure AD B2C with a web application, you can implement an idle timeout mechanism that uses the built-in token expiration from Azure AD B2C, and refresh the token based on activity. This approach will allow your application to be aware of when a user’s session has expired.

5. Testing the Timeout Configuration

  • After making the changes, it’s essential to test the session timeout behavior.
  • Ensure that users are logged out after the configured idle time, and verify that the application prompts users to log in again.

6. Logging Out Users Automatically

To ensure users are logged out after a session expires or after they have been idle for too long, you can configure a session expiration redirect or use the Azure AD B2C’s EndSession endpoint to log out users:

<a href="https://<your-b2c-tenant>.b2clogin.com/<your-tenant-id>/oauth2/v2.0/logout?p=<your-policy-name>&post_logout_redirect_uri=<your-redirect-url>">Logout</a>

This will ensure that users are logged out securely.

Conclusion

To set up inactivity timeout with Azure AD B2C:

  • Custom Policies: Configure session and idle timeouts via custom policies in TrustFrameworkExtensions.xml.
  • Azure AD Settings: Configure session timeout and token expiration in Azure AD.
  • Client-Side JavaScript: Implement inactivity timeout on the frontend to logout users after idle time.
  • Session Expiry Handling: Properly manage session expiry and redirects to a login page.

Leave a Reply

Your email address will not be published. Required fields are marked *