When users are inactive for a certain period of time, Pega Platform requires users to reauthenticate by entering their login credentials. The browser session cannot resume until the login and password are accepted. Requiring reauthentication helps prevent a malicious or unauthorized user from hijacking the browser session. However, if reauthentication fails or is canceled, some or all of the data on the screen might continue to be displayed.
Authentication time-out is the length of time between when user activity in a browser session ceases and Pega Platform requires reauthentication. The expired browser session is still displayed during this time.
Authentication time-out configuration
You configure authentication time-out on the Advanced tab of each Access Group form. For more information, see Learning about access groups.
Configure the authentication time-out according to your organization's security policies. Make sure that the authentication time-out is consistent with your organization’s policy so that you can set how long a user’s browser session can be idle before it requires reauthentication.
If your organization uses a custom authentication scheme such as single sign-on (SSO), the session time-out might be handled outside Pega Platform. In this case, compare the internal settings to the external settings. Determine the authentication time-out of your custom authentication scheme and verify that the Pega Platformauthentication time-out is consistent with the external time-outs.
If authentication is handled by an external system, you can turn off the Pega Platform authentication time-out feature by leaving the authentication time-out entry blank on the Advanced tab of the Access Group form.
You also can set a warning message that is displayed to the user whose session is about to expire. The user’s response to this message resets the user activity timer. The response to the warning renders the browser session no longer idle. To customize the message, update the localized value for the field value rule that has a field value equal to TimeoutWarning and a field name equal to pyMessageLabel.