That is byDesign. Your only option is to configure the logout redirect to an html page of your choice.
On that landing page you could either make a call. to logout of the SSO session or give the user an option to return to Cognos.
As you can appreciate, since the SSO session is valid... Cognos does not re-challenge the SSO user because their SSO credentials are valid. if they visited a different site protected by the same SSO security.... you would likely find they are not challenged on that site also.
I'd be curious to understand how you would want this to behave if the SSO session is still valid as this concern has been raised by Cognos customers in the past. I believe there is also a pre-login url you can configure but I'm not sure if that will fire if the SSO session is valid. But if it does... you could expose a pre-login HTML page that asks the user if they want to continue to Cognos at which point the CA Session cookie would be automagically renewed via the active SSO session.
IMO, if customers want a feature in which active SSO sessions should still challenge for the SSO credentials... I would think that should be an SSO authentication provider setting. Perhaps that's an option to research in that case also.
Good luck!
Original Message:
Sent: Wed July 09, 2025 07:08 AM
From: Shawn Crook
Subject: During assessment, it has been observed that the user session does not expire when left idle for 15 minutes.
Hi,
Assuming I understand the situation correctly, the Cognos session is likely timing out. However, the SSO session is still active.
Hence, if you logout and return the Cognos, the CA session is restored based on the still active SSO session.
If you are concerned that the active CA session did not end, check the applicable Cognos session auth cookies. You will notice they have changed since logout even though the login screen does not appear.
There is a way to overcome this by configuring an SSO logout url. Once this url is configured, after logout CA will redirect to this URL of your choice. See: https://www.ibm.com/support/pages/how-redirect-users-after-sign-out-cognos-analytics
At this target URL, if desirable you can then also perhaps end the active SSO session albeit this is likely not a desirable default since the user will need to re-authenticate the SSO session again not only for Cognos but for other apps also but that might be desirable in your case.
Hope this helps.
------------------------------
Shawn Crook
Original Message:
Sent: Tue July 08, 2025 01:57 PM
From: James Hicks
Subject: During assessment, it has been observed that the user session does not expire when left idle for 15 minutes.
Thanks . We did that but our compliance folks are requiring that that login screen shows up after timeout and requires the user to re-do their credentials. Currently it does timeout , but Cognos is passing the credentials behind the scenes and reverting back to the screen they were currently on.
Jim Hicks
Product Manager
Community Core
C: (321)230-3627
E: jim.hicks@fisglobal.com
FIS | Advancing the way the world pays, banks and invests™



The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you.
Original Message:
Sent: 7/8/2025 11:57:00 AM
From: Patrick Neveu
Subject: RE: During assessment, it has been observed that the user session does not expire when left idle for 15 minutes.
Hi James,
In IBM Cognos Configuration, you need to change from Explorer pane, in Security / Authentication:

to
900 (instead of 3600). Save and restart Cognos Analytics.
If you are a supported customer, I guess you need to contact IBM Support.
Best regards,
------------------------------
Patrick Neveu
BSL Consulting
IBM Champion
Original Message:
Sent: Tue July 08, 2025 06:42 AM
From: James Hicks
Subject: During assessment, it has been observed that the user session does not expire when left idle for 15 minutes.
Has anyone been hit with this during your scans. We were told with SSO there is no work around and we submitted an enhancement request years ago. We tried this with MFA using IdP and still does not take you back to the login screen. Cognos doesnt prompt for a new login. Any recommendations or explanations you may have used to pass your internal audits ?
CWE-613: Insufficient Session Expiration
The application did not invalidate the user session after 15
minutes of inactivity. Keeping the session valid for a longer
period of time increases the chances of it being stolen, hijacked,
or replayed. It can also lead to the unauthorized disclosure of
sensitive information displayed within the browser window.
------------------------------
James Hicks
------------------------------