Kibana session keepalive when using SAML

I’m using kibana with SAML authentication.
For some reason when the user logs in, I get a security_authentication cookie on my browser but the expiry time is set to 1h from the login time.
This means 1h after I logged in, regardless of using or not kibana in between, my session expires.
Is there any way to have this cookie expiration update on every request?
If I’m actively using kibana (or using automatic refreshes) I would expect my session to not expire.

Looking at security-kibana-plugin/Saml.js at 88f7dd343e53fabc466f92b90a9165db105d9b7b · opendistro-for-elasticsearch/security-kibana-plugin · GitHub I can see the following:

            if (tokenPayload.exp) {
            // The token's exp value trumps the config setting
            this.sessionKeepAlive = false;
            session.exp = parseInt(tokenPayload.exp, 10);
        } else if(this.sessionTTL) {
            session.expiryTime = + this.sessionTTL

but regardless of which settings I use I don’t get my cookie extended.
Also looking at Kibana authentication | Search Guard | Security for Elasticsearch (which I believe is the base for this plugin) it mentions:

searchguard.session.keepalive	boolean, if set to true the session lifetime is extended by searchguard.session.ttl upon each request. Default: true

has anybody been able to setup keepalive so every new request refreshes the security cookie?

Haven’t tried it myself yet but this is probably related to

The post states that you have to add

              expiry: AUTO+1440

to the config.yml


@horacimacias Did you get this resolved? If not which version of odfe are you using?

@horacimacias were you able to solve this ?

1 Like

This strategy of explicitly setting config.jwt.expiry in security plugin’s config.yml does NOT work for openid_auth_domain and Okta. No combination of AUTO or NOW has any effect, the resulting session is always 60min.