We’re opening a public beta so G Suite, Google Cloud Platform (GCP), and Cloud Identity admins can set a fixed session duration for specific apps and services. After the session expires, users will need to re-enter their login credentials to continue to access:
Settings can be customized for specific organizational units.
Note that this is designed to work on the web. However, the settings will apply to authentication on all platforms, including the web and mobile apps where they exist. As a result, affected mobile apps may not work properly when the feature is enabled.
Why you’d use it
Many apps and services include sensitive data, and it’s important that only specific users can access that information. By requiring re-authentication, you can make it more difficult for the wrong people to obtain that data if they gain unauthorized access to a device.
How to get started
- Admins: Find session length controls at Admin console > Security > Google Cloud session control (Beta). See our Help Center to learn more about how to set session length for Google Cloud services.
- End users: If a session ends, users will simply need to log in to their account again using the familiar Google login flow.
Third-party SAML identity providers and session length controls
If your organization uses a third-party SAML-based identity provider, the cloud sessions will expire, but the user may be transparently reauthenticated (i.e. without actually being asked to present their credentials) if their session with the IdP is valid at that time. This is working as intended, as Google will redirect the user to the IdP and accept a valid assertion from the IdP. To ensure that the user is rechallenged for authentication, be sure to match the session timeout at the IdP with the session length you’d like to enforce.
Provides fixed-time controls (not activity-based)
Note that the new session control is a fixed time limit—it does not look for session activity, or ‘idle time’. At this time, Google Cloud and G Suite do not support activity-based session expiry.
When choosing a session length, admins will be able to choose:
- Between a range of predefined session lengths, or set a custom session length.
- Whether users need regular login credentials (password and, if configured, 2-Step Verification), or require a security key to re-authenticate.
- Rapid Release domains: Gradual rollout (up to 15 days for feature visibility) starting on September 16, 2019
- Scheduled Release domains: Gradual rollout (up to 15 days for feature visibility) starting on September 16, 2019
Available to all G Suite and Cloud Identity editions
On/off by default?
This feature will be OFF by default and can be enabled at the OU level.
Stay up to date with G Suite launches