Canary Admin Timeout
Hello,
I have observed that Canary Admin logs you off after "some period" (unable to determine it). Is there a setting that can be configured to logoff Canary Admin users (e.g., configurators, administrators)? Unable to find that in the documentation or the system.
Thanks
5 replies
-
Are you guys using OpenID Connect for auth? I'm told their working it. There's currently no where for them to cache the session. It might even be the next release. I opened https://helpcenter.canarylabs.com/t/h7yfc69/cache-oidc-credentials-in-admin-tool a bit ago to track it. If this is completely not what you're talking about, sorry!
-
Hey as of now we're using AD authentication without a provider (based on the server users - we're still on trial/dev mode on our end). We're actually looking at connecting to an Azure provider soon, so I'll see what this can provide.
The same way that Axion has a global timeout (How to Configure a Global Inactive Timeout Setting for Axiom Sessions (version 25) - General - Canary Community) I was looking for something similar but in Canary Admin.
-
gotcha. Then sorry, I've got no insight for you. I've had mixed experience there. I've got instances where I never get logged out, and some where it will log me out as you experience. The best experience I've seen is if Kerberos is the only auth method allowed, then it just logs you right in and usually stays logged in. Not sure if that's an option.
-
Thanks. Maybe can shed some light here?
-
So the global timeout for Axiom was first introduced before we had unlimited Axiom clients because users would leave their session running which would consume a seat. That's not as relevant anymore. There is no such configurable setting for the Admin. After 30 minutes of inactivity, the Admin will timeout.
Now...depending on the amount of time that has surpassed since the user initially opened the Admin, when they attempt to log back in, and the screen they were sitting on when it went inactive will determine if they would get prompted to re-authenticate.
When you initially open the Admin a cookie is cached which lasts 50 minutes. At the same time, an internal session token is created. The token has a 20 minute timeout. If no calls are made to the Identity service within 20 minutes, it will expire. It depends on the screen(s) the user is looking at. For example, just sitting on the Home screen, calls will still be made to the Identity service because it is requesting data to update certain tiles.
Both the cookie and token need to be active in order to bypass the authentication piece. The cookie will expire after 50 minutes, regardless of activity. So whether you manually close the admin or it times out from inactivity, the user would have to re-authenticate.
In 's case, he's only using Kerberos, so it's logging him back in automatically without having to go through the login screen. If you're using Windows AD, you would have to put your credentials in again.
Hope this helpful!
-
Print this page