Sun OpenSSO Enterprise 8.0 Technical Overview

Session Termination

A user session can be terminated in any of following ways:

User Ends Session

When a user explicitly logs out of OpenSSO Enterprise by clicking on a link to the Logout Service the following events occur:

  1. The Logout Service receives the Logout request, and:

    1. Marks the user’s session as destroyed.

    2. Destroys the session.

    3. Returns a successful logout page to the user.

  2. The Session Service notifies applications which are configured to interact with the session. In this case, each of the policy agents was configured for Session Notification, and each is sent a document instructing the agent that the session is now invalid.

  3. The policy agents flush the session from the cache and the user session ends.

Administrator Ends Session

OpenSSO Enterprise administrators with appropriate permissions can terminate a user session at any time. When an administrator uses the Sessions tab in the OpenSSO Enterprise console to end a user’s session, the following events occur:

  1. The Logout Service receives the Logout request, and:

    1. Marks the user’s session as destroyed.

    2. Destroys the session.

  2. The Session Service notifies applications which are configured to interact with the session. In this case, each of the policy agents was configured for Session Notification, and each is sent a document instructing the agent that the session is now invalid.

  3. The policy agents flush the session from cache and the user session ends.

OpenSSO Enterprise Enforces Timeout Rules

When a session timeout limit is reached, the Session Service:

  1. Changes the session status to invalid.

  2. Displays a time out message to the user.

  3. Starts the timer for purge operation delay. (The default is 60 minutes.)

  4. Purges or destroys the session when the purge operation delay time is reached.

  5. Displays login page to the user if a session validation request comes in after the purge delay time is reached.

Session Quota Constraints

OpenSSO Enterprise allows administrators to constrain the amount of sessions one user can have. If the user has more sessions than the administrator will allow, one (or more) of the existing sessions can be destroyed.