From fea2f2371bf38446fa8941432160aa97710a5323 Mon Sep 17 00:00:00 2001
From: Maxime <maxime@refractionPOINT.com>
Date: Wed, 13 May 2026 12:39:57 -0700
Subject: [PATCH] docs(access): document session lifetime enforcement
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

New page under Administration > Access describing the optional per-email-domain
maximum web-app session lifetime. Customer-facing only — covers what the feature
does, who it applies to, what users experience, and how to request enrollment.
Adds a cross-link from the SSO page and a nav entry in mkdocs.yml.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../access/session-lifetime.md                | 36 +++++++++++++++++++
 docs/7-administration/access/sso.md           |  1 +
 mkdocs.yml                                    |  1 +
 3 files changed, 38 insertions(+)
 create mode 100644 docs/7-administration/access/session-lifetime.md

diff --git a/docs/7-administration/access/session-lifetime.md b/docs/7-administration/access/session-lifetime.md
new file mode 100644
index 000000000..8299b94c6
--- /dev/null
+++ b/docs/7-administration/access/session-lifetime.md
@@ -0,0 +1,36 @@
+# Session Lifetime Enforcement
+
+LimaCharlie can enforce a maximum lifetime on web-app sessions for users in a specific email domain. Once enabled, users are automatically signed out of the web app after the configured duration, measured from the moment they last entered their credentials. They must then sign in again to continue.
+
+This is typically used by enterprise and regulated customers who require periodic re-authentication, regardless of whether a user is actively using the web app.
+
+## How It Works
+
+- The configured maximum lifetime is applied to every user whose email belongs to the enrolled domain.
+- The countdown starts when the user authenticates (entering password, completing SSO, or completing MFA). Background token refreshes do **not** reset it.
+- When the limit is reached, the web app shows a brief notice and signs the user out. The user can sign back in immediately and a new countdown begins.
+- The control affects the web app only. API tokens, sensor enrollment, and integrations are not impacted.
+
+## Scope
+
+- The setting is configured per email domain. All users authenticating with an email in the enrolled domain are subject to the same limit.
+- Customers with multiple email domains (for example, primary and secondary brands) can enroll each domain independently.
+- The setting can be combined with [Strict SSO Enforcement](sso.md) and other per-domain authentication controls.
+
+## User Experience
+
+- During the session, no banner or countdown is shown — the experience is identical to a normal session.
+- At expiry, the user sees a short message indicating that the session has reached its maximum lifetime, and is redirected to the sign-in page.
+- For users who are already signed in at the moment the policy is first enabled for their domain, the countdown applies from their most recent sign-in. They will typically be signed out shortly after enablement and asked to sign in once; subsequent sessions follow the configured limit.
+
+## Requesting Enrollment
+
+Session lifetime enforcement is configured by LimaCharlie staff. To enable it for your domain, contact your LimaCharlie account team or open a support request including:
+
+- The email domain (or domains) to enroll.
+- The maximum session duration (for example, "8 hours" or "7 days").
+
+## Related Articles
+
+- [Single Sign-On](sso.md)
+- [User Access](user-access.md)
diff --git a/docs/7-administration/access/sso.md b/docs/7-administration/access/sso.md
index 933f1ef6e..45a0aac08 100644
--- a/docs/7-administration/access/sso.md
+++ b/docs/7-administration/access/sso.md
@@ -31,6 +31,7 @@ In LimaCharlie, an Organization represents a tenant within the Agentic SecOps Wo
 ## Related Articles
 
 - [User Access](user-access.md)
+- [Session Lifetime Enforcement](session-lifetime.md)
 
 ## What's Next
 
diff --git a/mkdocs.yml b/mkdocs.yml
index 8ba880e2d..d0406a80c 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -481,6 +481,7 @@ nav:
           - User Access: 7-administration/access/user-access.md
           - Designing Access: 7-administration/access/designing-access.md
           - SSO: 7-administration/access/sso.md
+          - Session Lifetime Enforcement: 7-administration/access/session-lifetime.md
       - Billing:
           - Options: 7-administration/billing/options.md
           - Custom Plans: 7-administration/billing/custom-plans.md