Start a conversation Sign in
Start a conversation
  1. Influitive Support
  2. Influitive Articles
  3. Articles

Influitive SSO: Why Former Users May Retain Hub Access and How to Enforce Session Timeouts

Table of Contents

Overview

Former users may continue accessing parts of an Influitive hub for an extended period after being disabled in your SSO Identity Provider (IdP), appearing “as if their cookies never expired,” because they are not being forced to re-authenticate.

This occurs because Influitive’s “session timeout” setting applies only to the Discussions area (/forum/) and does not control session longevity for the rest of the Influitive instance. To enforce hub-wide session lifetime in an SSO environment, session controls must be configured in your IdP.

Solution

Issue

Former users may still be able to access parts of an Influitive hub for an extended period after being disabled in your SSO IdP because they are not being forced to re-authenticate.

Reported symptom (verbatim)

  • “Former clients are able to access the hub months after their SSO access has been disabled… it’s as if their cookies never expired.”

No specific on-screen error text is required to identify this behavior. The expected behavior is that once the user is forced through SSO again, authentication should fail at the IdP and the user should not regain access.

Key concept: Influitive “session timeout” vs. SSO (IdP) session lifetime

1) Influitive Discussions-only timeout

Influitive has a “session timeout” configuration for the Discussions area only:

  • Affects: https://your_instance.domain.com/forum/
  • Does not affect: other areas of the Influitive instance outside /forum/

You can review this setting here:

  • https://your_instance.domain.com/forum/admin/site_settings/category/login

This setting is useful for expiring sessions in Discussions, but it will not, by itself, ensure that users must re-authenticate via SSO to access the rest of the hub.

2) SSO session enforcement must be done at your IdP

If you use SSO, the effective “how long can someone stay signed in” behavior for the overall hub experience must be enforced by your Identity Provider (IdP) (for example, https://your_idp.domain.com).

Influitive honors whatever session timeout rules your IdP applies to the Influitive application (idle timeout, maximum session lifetime, re-authentication requirements, etc.).

Resolution / Mitigation (SSO environments)

Step 1 — Confirm offboarding state (diagnostic)

For any impacted user, determine:

  • Is the user disabled in the IdP only?
  • Is the user also locked/deactivated in Influitive?

If the Influitive account remains active, the user may continue accessing the hub until they are forced to re-authenticate through SSO (depending on IdP/session behavior).

Step 2 — Enforce session timeout in your IdP (primary control)

In your IdP configuration for the Influitive SSO application:

  1. Set an appropriate idle session timeout (forces re-authentication after inactivity).
  2. Set an appropriate maximum session lifetime (forces re-authentication even if the user remains active).
  3. Ensure the policy applies to the Influitive application and the user populations that access it.

This is the control that prevents “months-long” access because it forces periodic re-authentication; once re-authentication is required, SSO-disabled users cannot authenticate.

Step 3 — Lock/deactivate Influitive users during offboarding (recommended)

To immediately remove access when a customer is termed or a user should no longer have access:

  1. Lock or deactivate the user in Influitive as part of your offboarding process (manual or automated).
  2. Keep IdP disabling in place as a second layer of enforcement.

This ensures that even if the IdP session were still valid on a device, the user’s Influitive account status also prevents continued access once re-authentication occurs.

Important behavior boundary: No engineering fix is required for this scenario. This is expected product behavior based on configuration scope (Discussions-only timeout vs. full-instance SSO session control).

Validation

  1. In a test environment (or with a test user), sign in via SSO and access:
    • Discussions (/forum/)
    • A non-Discussions area of the hub (any page outside /forum/)
  2. Wait beyond the IdP session timeout you configured (idle and/or maximum lifetime).
  3. Verify the user is forced to re-authenticate via SSO.
  4. Disable the test user in the IdP (and/or lock in Influitive), then repeat the prior step:
    • Confirm re-authentication fails and the user cannot regain access.

If users are still not being forced to re-authenticate after the IdP timeout, review IdP policy assignment, application session settings, and whether the IdP is actually enforcing timeouts for that specific application.

Frequently Asked Questions

1. How can I tell if I’m experiencing this same issue?
If users can still browse the hub long after they were disabled in your SSO IdP—and they are not being redirected to re-authenticate—your IdP session lifetime is likely allowing continued access, and Influitive’s Discussions-only session timeout will not change that for non-/forum/ pages.
2. Where is Influitive’s “session timeout” setting, and what does it actually affect?
It’s in the Discussions admin settings: https://your_instance.domain.com/forum/admin/site_settings/category/login. It applies only to the Discussions area (/forum/) and does not control session lifetime for the rest of the Influitive instance.
3. What’s the correct way to force all users to log in again after a set time in an SSO setup?
Configure the session timeout at your Identity Provider (IdP) for the Influitive SSO application (idle timeout and/or max session lifetime). Influitive honors the IdP’s session enforcement.
4. What should I do to ensure terminated users lose access immediately?
Disable the user in your IdP and also lock/deactivate the user in Influitive as part of offboarding. The IdP timeout forces re-authentication; disabling/locking prevents successful sign-in when that re-authentication occurs.
5. What if users still seem to stay logged in even after changing IdP timeouts?
Confirm the IdP policy is applied to the specific Influitive application integration, confirm both idle and maximum session lifetime settings, and validate by testing with a fresh browser session. If behavior persists, capture timestamps and test steps and contact support with the IdP timeout values and the affected URLs (use placeholders like your_instance.domain.com).
Choose files or drag and drop files
ai_initiated
atlas_studio
kb_automation
Was this article helpful?
Yes
No

  1. Priyanka Bhotika

  2. Posted

Comments