Skip to main content

         This documentation site is for previous versions. Visit our new documentation site for current releases.      

Authentication time-out

Updated on March 15, 2022

When users are inactive for a certain period of time, Pega Platform requires users to reauthenticate by entering their login credentials. The browser session cannot resume until the login and password are accepted. Requiring reauthentication helps prevent a malicious or unauthorized user from hijacking the browser session. However, if reauthentication fails or is canceled, some or all of the data on the screen might continue to be displayed.

Authentication time-out is the length of time between when user activity in a browser session ceases and Pega Platform requires reauthentication. The expired browser session is still displayed during this time.

Authentication time-out configuration

You configure authentication time-out on the Advanced tab of each Access Group form. For more information, see Learning about access groups.

Configure the authentication time-out according to your organization's security policies. Make sure that the authentication time-out is consistent with your organization’s policy so that you can set how long a user’s browser session can be idle before it requires reauthentication.

If your organization uses a custom authentication scheme such as single sign-on (SSO), the session time-out might be handled outside Pega Platform. In this case, compare the internal settings to the external settings. Determine the authentication time-out of your custom authentication scheme and verify that the Pega Platformauthentication time-out is consistent with the external time-outs.

If authentication is handled by an external system, you can turn off the Pega Platform authentication time-out feature by leaving the authentication time-out entry blank on the Advanced tab of the Access Group form.

You also can set a warning message that is displayed to the user whose session is about to expire. The user’s response to this message resets the user activity timer. The response to the warning renders the browser session no longer idle. To customize the message, update the localized value for the field value rule that has a field value equal to TimeoutWarning and a field name equal to pyMessageLabel.

  • Previous topic Using JNDI to specify an LDAP server when using an authentication service
  • Next topic Authentication login failures

Have a question? Get answers now.

Visit the Support Center to ask questions, engage in discussions, share ideas, and help others.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best. is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us