Configuring Temporary Access and Auto-Expiration for SonicWall CSE users via IDP

Overview

In many regions, strict access governance and compliance regulations mandate that user accounts and roles have a defined expiration period. To meet these requirements, administrators can leverage their Identity Provider (IDP) to issue time-bound access, and combine it with native SonicWall Cloud Secure Edge (CSE) features to enforce strict timeouts, immediately revoke access, and automatically recover licenses.

This guide explains how to configure a comprehensive temporary access strategy by first setting up time-bound access in your IDP, followed by enforcing short session timeouts, device banning, and automated inactivity purging in CSE.

Step 1: Configure Time-Bound Access in Your IDP

First, use your IDP’s native governance features to assign users to the SonicWall CSE application group with a strict expiration timer.

For Microsoft Entra ID (Azure AD)

• Privileged Identity Management (PIM): Make the user "Eligible" or assign them as "Active" to the SonicWall CSE security group, specifying a strict Start and End date/time. Once the end time hits, Entra ID drops them from the group.

• Entitlement Management: Create an "Access Package" containing the SonicWall CSE group. Configure the package lifecycle to expire after a specific number of days or hours.

For Okta

• Okta Identity Governance: Utilize Access Requests to allow users to request temporary access to the SonicWall CSE application. As part of the workflow, set an automated revocation timer.

• Group Rules: For contractors, tie Okta group membership to a temporary HR attribute (like ContractEndDate), automatically suspending the user when the date passes.

For Google Workspace

• Temporary Group Memberships: When adding a user to the Google Group mapped to SonicWall CSE, use the "Temporary Member" feature to specify an exact expiration date and time.

Step 2: Enforce Expiration with a Short Session Timeout

When an IDP timer expires, the IDP stops issuing new authentication tokens for the user. However, to ensure the user is actively kicked out of their current session in a timely manner, you must configure a short session timeout in SonicWall CSE. This forces the CSE application to check back with the IDP regularly.

How to configure:

1. Log in to your SonicWall CSE Command Center.

2. Navigate to your Authentication or Security Policies settings.

3. Locate the Session Duration or Token Expiration settings for both Web and Client access.

4. Set the maximum session duration to a low value, such as 8 hours (a standard workday).

5. Save and apply the policy.

Important Note: Setting a lower timeout increases security and compliance but will require active users to re-authenticate at the start of every shift. If their IDP access has expired, this re-authentication will fail, successfully locking them out.

Step 3: Immediate Revocation via Device Banning

If an administrator needs to terminate a user's access immediately—before the 8-hour session timeout occurs—they can forcefully break the session using the Ban Device feature.

This is especially useful if a contractor's term ends abruptly or an immediate security risk is identified.

How to ban a device:

1. Log in to the SonicWall CSE Command Center.

2. Navigate to Directory > Devices.

3. Search for the specific user or device you wish to revoke.

4. Click on the device to open its details, or select the actions menu next to the device.

5. Select Ban Device.

Banning a device instantly severs its connection to CSE resources, providing an immediate kill-switch for offboarding.

Step 4: Automated Inactivity Purging (License Recovery)

When a user's temporary IDP access expires and they are locked out, their dormant profile will initially remain in the CSE console and continue to consume a license.

To automatically free up these licenses without manual intervention, administrators should configure CSE to automatically archive users after a set period of inactivity.

How to Configure Automated Inactivity Archiving:

1. Log in to the SonicWall CSE Command Center.

2. Navigate to Settings > Configuration > Advanced.

3. Locate the User and Device Inactivity section.

4. Input the desired number of days for the threshold (e.g., 7 or 14 days). Once a user has not logged in for this duration, they will be automatically archived and their license released.

5. Select Update to save the configuration.