Lower SAML SSO session expiry to one day

bcd3b636 · Drew Blessing · Drew Blessing · be2916d7 · bcd3b636 · bcd3b636
Commit bcd3b636 authored Feb 16, 2021 by Drew Blessing Committed by Drew Blessing Feb 16, 2021
3 changed files
--- a/doc/user/group/saml_sso/index.md
+++ b/doc/user/group/saml_sso/index.md
@@ -87,7 +87,7 @@ Please note that the certificate [fingerprint algorithm](#additional-providers-a
 With this option enabled, users must go through your group's GitLab single sign-on URL. They may also be added via SCIM, if configured. Users can't be added manually, and may only access project/group resources via the UI by signing in through the SSO URL.

 However, users are not prompted to sign in through SSO on each visit. GitLab checks whether a user
-has authenticated through SSO. If it's been more than 7 days since the last sign-in, GitLab
+has authenticated through SSO. If it's been more than 1 day since the last sign-in, GitLab
 prompts the user to sign in again through SSO.
 You can see more information about how long a session is valid in our [user profile documentation](../../profile/#why-do-i-keep-getting-signed-out).


--- a/ee/changelogs/unreleased/dblessing_saml_sso_expiry_one_day.yml
+++ b/ee/changelogs/unreleased/dblessing_saml_sso_expiry_one_day.yml
+---
+title: Lower SAML SSO session expiry to one day
+merge_request: 54374
+author:
+type: changed
--- a/ee/lib/gitlab/auth/group_saml/sso_enforcer.rb
+++ b/ee/lib/gitlab/auth/group_saml/sso_enforcer.rb
@@ -4,7 +4,7 @@ module Gitlab
  module Auth
    module GroupSaml
      class SsoEnforcer
-        DEFAULT_SESSION_TIMEOUT = 7.days
+        DEFAULT_SESSION_TIMEOUT = 1.day

        attr_reader :saml_provider