To specify how inactive SSO-authenticated users are handled
Navigate to Users > Settings > User Sessions.
To put a user identified to the SonicWall network security appliance through an SSO mechanism, but no traffic has yet been received from the user, into an inactive state so they do not use resources, select On being notified of a login make the user initially inactive until they send traffic. The users remain in an inactive state until traffic is received. This option is selected by default.
Some SSO mechanisms do not give any way for the SonicWall network security appliance to actively re-identify a user, and if users identified by such a mechanism do not send traffic, they remain in the inactive state until the appliance eventually receives a logout notification for the user. For other users who can be re-identified, if they stay inactive and do not send traffic, they are aged-out and removed after a period (see the paragraphs that follow).
If an SSO-identified user who has been actively logged in is timed out because of inactivity, then users who cannot be re-identified are returned to an inactive state. To have users who would otherwise be logged out on inactivity to be returned to an inactive state, select On inactivity timeout make all user inactive instead of logged out. Doing this avoids overhead and possible delays re-identifying the users when they become active again. This setting is selected by default.
For inactive users who are subject to getting aged out, you can set the time, in minutes, after which they are aged-out and removed if they stay inactive and do not send traffic by selecting Age out inactive users after (minutes) and specifying the timeout in the field. This setting is selected by default, and the minimum timeout value is 10 minutes, the maximum is 10000 minutes, and the default is 60 minutes.
As the reason for keeping inactive user separate from active users is to minimize the resources used to manage them, the age-out timer runs once every 10 minutes. It might, therefore, take up to 10 minutes longer to remove inactive users from active status.