@ -54,14 +54,11 @@ With the [OIDC](/boundary/tutorials/identity-management/oidc-auth) and LDAP auth
as the auth method. The accounts and users are only created once the user authenticates to Boundary for the first time.
The same applies to OIDC/LDAP [managed groups](/boundary/tutorials/identity-management/oidc-idp-groups).
<Note>
You can configure the `max_age` in the [OIDC attributes](/boundary/docs/concepts/domain-model/auth-methods#oidc-auth-method-attributes) to indicate to the OIDC provider how much time is allowed to pass until a user is challenged to authenticate again.
However, the user will not be prompted to authenticate until the controller's `auth_token_time_to_live` [parameter](/boundary/docs/configuration/controller#auth_token_time_to_live) has expired.
The default value is 7 days.
At this time, HCP Boundary users cannot configure the `auth_token_time_to_live` for a controller, so that value always equals the default of 7 days.
</Note>
To configure time to live in HCP Boundary, refer to [Configure authentication time to live](/hcp/docs/boundary/configure-ttl).
### Grant permissions
When setting up access controls for a user, it is important to first consider which scope(s) the user needs access to. Roles give users permission to perform actions through grants strings.
to all tokens from all auth methods). Valid time units are anything specified by Golang's
[ParseDuration()](https://golang.org/pkg/time/#ParseDuration) method. Default is 7 days.
Note that you cannot set a maximum time to live for auth tokens in HCP Boundary at this time. For HCP Boundary, all auth tokens' maximum time to live equal the default of 7 days.
- `auth_token_time_to_stale` - Maximum time of inactivity for all auth tokens globally (pertains
to all tokens from all auth methods). Valid time units are anything specified by Golang's
[ParseDuration()](https://golang.org/pkg/time/#ParseDuration) method. Default is 1 day.
Dan Heath
1 year ago