releases.shpreview

Federated sessions now respect IdP expiry

1 featureThis release1 featureNew capabilitiesAI-tallied from the release notes
From the original release noteView original ↗

Auth0 now supports the session_expiry claim for Okta and OIDC-based Enterprise connections, in alignment with the IPSIE SL1 profile. When your upstream identity provider includes a session_expiry value in the ID token, Auth0 uses it to enforce the ceiling on the Auth0 session lifetime — evaluated as the minimum of the IdP claim, your tenant's absolute session expiration, and any expiry set via Actions.

This closes a real gap in federated sessions: when a federated user's access expires at their IdP, their Auth0 session terminates accordingly — no stale sessions, no residual access. Enable it on any Okta/OIDC Enterprise connection via the Dashboard or Management API. For end-to-end enforcement down to your downstream applications, deploy a Post-Login Action to inject the final session_expiry value as a custom claim in the Auth0-issued ID token.

Note: Supported on Okta/OIDC Enterprise connections only. SAML connections are not supported. This feature implements the evolving IPSIE SL1 open standard.

See the product documentation

Fetched July 8, 2026