Federated sessions now respect IdP expiry
Auth0 now supports the session_expiry claim for Okta and OIDC-based Enterprise connections, in alignment with the IPSIE SL1 profile. When your upstream identity provider includes a session_expiry value in the ID token, Auth0 uses it to enforce the ceiling on the Auth0 session lifetime — evaluated as the minimum of the IdP claim, your tenant's absolute session expiration, and any expiry set via Actions.
This closes a real gap in federated sessions: when a federated user's access expires at their IdP, their Auth0 session terminates accordingly — no stale sessions, no residual access. Enable it on any Okta/OIDC Enterprise connection via the Dashboard or Management API. For end-to-end enforcement down to your downstream applications, deploy a Post-Login Action to inject the final session_expiry value as a custom claim in the Auth0-issued ID token.
Note: Supported on Okta/OIDC Enterprise connections only. SAML connections are not supported. This feature implements the evolving IPSIE SL1 open standard.
See the product documentation
Fetched July 8, 2026
