Chapter 5 Configuring Access Manager Sessions

Access Manager session configuration includes:

• Setting Session Quota Constraints

• Configuring Session Property Change Notifications

Setting Session Quota Constraints

The session quota constraints feature allows Access Manager to limit users to a specific number of active, concurrent sessions based on configurable attributes. An Access Manager administrator can set session quota constraints at the following levels:

• Globally. Constraints apply to all users.

• To an entity (organization or realm, role, or user). Constraints apply only to the specific users that belong to the entity.

Deployment Scenarios for Session Quota Constraints

The following Access Manager deployments support session quota constraints:

• Access Manager Single Server Deployment

  In this scenario, Access Manager is deployed on a single host server. Access Manager maintains the active session counts in memory for all logged in users. When a user attempts to log in to the server, Access Manager checks whether the number of the valid sessions for the user exceeds the session quota and then takes action based on the configured session quota constraints options.

• Access Manager Session Failover Deployment

  In this scenario, multiple instances of Access Manager are deployed on different host servers in a session failover configuration. The Access Manager instances are configured for session failover using Sun Java System Message Queue (Message Queue) as the communications broker and the Berkeley DB as the session store database. For more information about Access Manager session failover, see Chapter 6, Implementing Session Failover.

In a session failover deployment, when a user attempts to log in, the Access Manager server receiving the session creation request first retrieves the session quota for the user from the Access Manager identity repository. Then, the Access Manager server fetches the session count for the user directly from the centralized session repository (accumulating all the sessions from all the Access Manager servers within the same site) and checks whether the session quota has been exhausted. If the session quota has been exhausted for the user, the Access Manager server takes action based on the configured session quota constraints options.

If session constraints are enabled in a session failover deployment and the session repository is not available, users (except superuser) are not allowed to log in.

In a session failover deployment, if an Access Manager instance is down, all the valid sessions previously hosted by that instance are still considered to be valid and are counted when the server determines the actual active session count for a given user. An Access Manager multiple server deployment that is not configured for session failover does not support session quota constraints.

Multiple Settings For Session Quotas

If a user has multiple settings for session quotas at different levels, Access Manager follows this precedence to determine the actual quota for the user:

• user (highest)

• role/organization/realm (based on the conflict resolution levels)

• global (lowest)

For example, Ken is a member of both the marketing and management roles. Session quotas are defined as follows (all have the same conflict resolution level):

• organization - 1

• marketing role - 2

• management role - 4

• user Ken - 3

Ken's quota is 3.

For more information about the session quota constraints attributes, see the Access Manager Console online help.

Configuring Session Quota Constraints

To configure session quota constraints, the top-level Access Manager administrator (such as amAdmin) must set specific attributes in the Access Manager Console for one of the Access Manager instances in your deployment.

To Configure Session Quota Constraints

1. Log in to Access Manager Console as a top-level Access Manager administrator (such as amAdmin) .

2. Set the following attributes in the Access Manager Console for one of the Access Manager instances.

   Enable Quota Constraints is a global attribute that enables or disables the session quota constraints feature. If this attribute is enabled, Access Manager enforces session quota constraints whenever a user attempts to logs in via a new client (and thus create a new session).

   The default is disabled (OFF).

   Read Timeout for Quota Constraint defines the time in milliseconds that an inquiry to the session repository for the active user session counts continues before timing out. If the maximum wait time is reached due to the unavailability of the session repository, the session creation request is rejected.

   The default is 6000 milliseconds.

   Resulting Behavior If Session Quota Exhausted determines the behavior if a user exhausts the session constraint quota. This attribute takes effect only if the “Enable Quota Constraints” attribute is enabled. Values can be:

   • DENY_ACCESS. Access Manager rejects the login request for a new session.

   • DESTROY_OLD_SESSION. Access Manager destroys the next expiring existing session for the same user and allows the new login request to succeed.

   The default is DESTROY_OLD_SESSION.

   Exempt Top-Level Admins From Constraint Checking specifies whether session constraint quotas apply to the administrators who have the Top-level Admin Role. This attribute takes effect only if the “Enable Quota Constraints” attribute is enabled.

   The default is NO.

   The super user defined for Access Manager in the AMConfig.properties file (com.sun.identity.authentication.super.user) is always exempt from session quota constraint checking.

   Active User Sessions defines the maximum number of concurrent sessions for a user. Access Manager includes both a dynamic attribute and a user attribute, with same attribute name.

   The default is 5.

   ---

   Note –

   If you reset any of these attributes, you must restart the server for the new value to take effect.

   ---

3. When you have finished click Save.

Configuring Session Property Change Notifications

The session property change notification feature causes Access Manager to send a notification to all registered listeners when a change occurs on a specific session property. This feature takes effect when the “Enable Property Change Notifications” attribute is enabled (ON) in the Access Manager Console.

For example, in a single sign-on (SSO) environment, one Access Manager session can be shared by multiple applications. When a change occurs on a specific session property defined in the “Notification Properties” list, Access Manager sends a notification to all registered listeners.

All client applications participating in the SSO automatically get the session notification if they are configured in the notification mode. The client cached sessions are automatically updated based on the new session state (including the change of any session property, if there is any). An application that wants to take a specific action based on a session notification can write an implementation of the SSOTokenListener interface and then register the implementation through the SSOToken.addSSOTokenListener method. For more information, see the Sun Java System Access Manager 7.1 Developer’s Guide.

To Configure Session Property Change Notifications

1. Log in to Access Manager Console as amAdmin.

2. Click the Configuration tab.

3. Under Global Properties, click Session.

4. Set “Enable Property Change Notifications” to ON.

5. In the “Notification Properties” list, add each property for which you want a notification sent when the property is changed.

6. When you have finished adding properties to the list, click Save.