Manual Chapter : Specifying how often a user must authenticate

Applies To:

  • BIG-IP APM

    21.0.0, 17.5.1, 17.5.0, 17.1.3, 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.6, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 15.1.10, 15.1.9

back-action Overview: Configuring step-up authentication

Updated Date: 04/30/2026

Specifying how often a user must authenticate

You can configure Access Policy Manager (APM) so that step-up authentication runs periodically throughout a session. For example, you might want a user to re-authenticate every eight hours for access to a given application.

  1. For step-up authentication to run periodically, verify that the Maximum Session Timeout setting in the access profile is set to a value greater than zero.

    The default value is 604800 seconds (or 1 week).

    1. On the Main tab, select Access > Profiles / Policies > Access Profiles (Per-Session Policies).

    2. Click the name of the access profile you want to verify.

    3. In the Settings area, locate the Maximum Session Timeout setting.

    4. If it is set to 0, on the right of the screen select the Custom check box. In the Maximum Session Timeout field, type a value greater than 0, and at the bottom of the screen, click Update.

  2. To specify how long you want the user to retain access without needing to re-authenticate, update the Max Subsession Life (sec) setting:

    1. With the per-request policy open in the visual policy editor, expand the subroutine for editing.

    2. Click Subroutine Settings/Rename.

      A popup screen opens.

    3. In the Maximum Subsession Life (sec) field, type the number of seconds that you want users to retain access without needing to authenticate again.

      The default value is 900 (or 15 minutes).

  3. Click Save.

    The popup screen closes.