We want to integrate AEM with Okta.
However Okta has a short session time that we don't want to change, and we have a requirement for AEM to have a longer session time.
Therefore after authentication with Okta, we somehow need AEM to create its own session that will be valid for x days.
For the purposes of this explanation, Lets assume x=10 days.
After logging in, If the user returns to AEM within those 10 days, then they wouldn't have to login again, and the session would be extended for a further 10 days.
If however the 10 days expires, we would expect the user to have to re-authenticate via Okta.
Please note we have multiple publisher instances, so any solution would need to work irrespective of what publisher instance the user was processed on.
I know Okta is a supported IDM, although my requirement needs to tailor the standard use case of Okta to essentially extend the AEM session (Perhaps by custom auth handlers?)
As far as I know once the user is authenticated with the IdP via the SAML request, in AEM you still get a token created and associated with the crx session. Every subsequent request is authenticated via the CRX Token Authentication Handler first before going to the SSO Handler unless you changed the JAAS rankings.
So you should be able to set the AEM session timeout via the Token Configuration and this can be different from Okta.
Since you mentioned this authentication happens on publish instances and you have multiple ones, you should look at configuring the encapsulated token support or sticky sessions in your load balancer.
I hope this helps!