How to Configure SSO Session Management with SAML/OAuth in WordPress?

Follow the step by step guide to configure SSO Session Management Add-on with SAML Single Sign On (SSO) Plugin

miniOrange SSO Session Management add-on lets you control and customize the login session duration for users.

• Once the add-on is activated, it will appear as a submenu under your miniOrange SSO Plugin.
• Go to miniOrange >> SSO Session Management.

• Here you can configure the user’s session management settings, and inactive session management.



Note: Before configuring the plugin, the default user session time will be 2 days.



• Enable Remember Me option allows you to let users stay logged in without having to sign in repeatedly until their session expires. When enabled, the session persists even after the browser is closed—so when users reopen the browser and visit the site, they’re automatically logged in without re-entering credentials.
• This feature can be applied to both SSO and non-SSO users. If enabled for SSO users, all SSO users will have the Remember Me option enabled, and the same applies to non-SSO users.


Note: If you enable the remember me option, all users will have a session time of 14 days, regardless of the role or default time set in below settings. If it is disabled then the time specified in the Default Time or Role Specific Time will be considered.



• In case you want to provide the remember me option only to a specific group of people, you can mention their role in Enable Remember Me for specific roles.
  For e.g. If you want to enable the remember me option only to editors and authors, enter these role names in the Enable Remember Me for specific roles field. The remember me option will be applied only to users with editor and author roles.
• The Default Time and Time Format settings allow you to define the active session duration in seconds, minutes, hours, or days, based on your preference. Once the Default Time is set, it applies to all users. However, if you’ve configured a role-specific session time, users assigned to that role will follow the role-specific duration instead.
  For e.g. If you’ve set 5 minutes as Default Time, then all users will have 5 minutes as session time. (The users whose role specific timeout is set, they will have role-specific session time as their session time.)
• Session Based On - This section will allow you to set session time to users with specific roles. For e.g. If you mention the session time for Editor role as 8 days then all the users with Editor role will have active session time as 8 days and remaining roles will follow the default time specified.
• Support for multiple roles of a User - If a user has multiple roles, and you have specified role specific session time then you can use either Role Priority or Highest Session Time option to choose the session time.
• Role Priority - If you select this option, the session time of the role with maximum capabilities will be considered. So if a user has roles Editor and Administrator then the session time of Administrator role will be assigned to the user.
• Highest Session Time - When enabled, the user will be assigned the longest session time among all their assigned roles. For example, if a user has Role Administrator with a 5-minute session time and Role Editor with a 20-minute session time, the user will get a 20-minute session.


Note: If no role-specific session time is set, the Default Time will be used for the session duration.




Inactive Session Management:

miniOrange SSO Session Management add-on provides the utility to monitor and warn users if the user is inactive for a certain period of time. The allowed inactive time can be set in the Inactive Session Management tab. To configure monitoring inactive users you can use below settings:



• Enable Session Inactivity Management - Enabling this option will start inactivity management. So whenever users are inactive for a specified period of time, they will see a warning notification as their session is about to end.
• Idle Timeout - This setting specifies the allowed time the user can be idle before the session is terminated. Set the Idle Timeout in seconds to terminate the session if the user is inactive. For e.g. If the Idle Timeout is 1800 seconds, users that are inactive for 30 minutes will be logged out.
• Warning Time - Warning Time defines how much earlier the system will alert the user before their session ends due to inactivity. The inactivity warning will be displayed before the session ends. For e.g. If the Warning Time is set to 5 minutes then the user will receive a warning 5 minutes before the session ends.
• Session Timeout Message - This message will be shown to the user when they remain inactive for the duration specified in the Idle Timeout setting. You can set this message however you like to notify the user that their session will be terminated due to inactivity.

• Extend Button - The inactivity warning will have an extend button which extends the user’s available session time when clicked. The extended time can be set using the Extend Time option. Additionally, you can change the text of the extend button.


Note: If the user extends the session time after inactivity, the user will be logged out after time mentioned in the Extend Time even if the user is active.



• After the Idle Timeout is reached the user will be logged out and shown a Session Expired Message which can be configured along with the Login button text.