To further improve security for our customers, we are changing the default session length to 16 hours for existing Google Cloud customers. Note that this update refers to managing user connections to Google Cloud services (e.g. Google Cloud console), not connections to Google services (e.g. Gmail on the web).
For existing customers who have session length configured to Never Expire, we are updating the session length to 16 hours. See below for more information.
Admins, end users, and developers
Why you’d use it
Many apps and services can access sensitive data or perform sensitive actions. Because of this, managing session length is foundational to cloud security and compliance. It ensures that access to the Google Cloud Platform is finite after a successful authentication, which helps deter bad actors should they gain access to credentials or devices.
Google Cloud session controls
For existing customers who have session length configured to Never Expire, we are updating the session length to 16 hours. This ensures customers do not mistakenly grant infinite session length to users or apps using Oauth user scopes. After the session expires, users will need to re-enter their login credentials to continue their access. This impacts the following:
- Google Cloud Console
- gcloud command-line tool
- Any other app that requires Google Cloud scopes
Settings can be customized for specific organizations, and will impact all users within that org. This is a timed session length that expires the session regardless of the user's activity. When choosing a session length, admins have the following options:
- Choose from a range of predefined session lengths, or set a custom session length between 1 and 24 hours.
- Configure whether users need just a password, or require a Security Key to re-authenticate.
Third-party SAML identity providers and session length controls
If your organization uses a third-party SAML-based identity provider (IdP), the cloud sessions will expire, but the user may be transparently re-authenticated (i.e. without actually being asked to present their credentials) if their session with the IdP is valid at that time. This is working as intended, as Google will redirect the user to the IdP and accept a valid assertion from the IdP. To ensure that users are required to re-authenticate at the correct frequency, evaluate the configuration options on your IdP and review the Help Center article to Set up SSO via a third party Identity provider.
Some apps are not designed to gracefully handle the re-authentication scenario, which can cause confusing app behavior. Other apps are deployed for server-to-server purposes via user credentials — because they don’t require service account credentials, they are not prompted to periodically re-authenticate.
If you have specific apps like this, and you do not want them to be impacted by session length reauthentication, the org admin can add these apps to the trusted list for your organization. This will exempt the app from session length constraints, while implementing session controls for the rest of the apps and users within the organization.
- Admins: For customers who have their session length set to "Never Expire", your session length will reset to 16 hours. It can be turned off or modified at the OU level. Visit the Help Center article to learn how to set session length for Google Cloud services for your organization.
- End users: If a session ends, users will simply need to log in to their account again using the familiar Google login flow.
- Rapid Release and Scheduled Release domains: Extended rollout (potentially longer than 15 days for feature visibility) starting on March 15, 2023.
- Available to all Google Workspace and Cloud Identity customers, as well as legacy G Suite Basic and Business customers
Google Workspace Admin Help: Set session length for Google Cloud services
Google Workspace Admin Help: Control which third-party & internal apps access Google Workspace data
Google Workspace Admin Help: Set up SSO via a third party Identity provider
Google Help: Use a security key for 2-Step Verification
Google Cloud Docs: Creating and managing organizations
Google Identity Docs: Using OAuth 2.0 for Server to Server Applications