Support for specific application idle session timeout values

Patch 1 allows different applications to have different session idle timeout values. In an enterprise, some applications might require session idle timeout values that are less than the session idle time out specified in the session service. For example, you have specified session the idle timeout value in the session service as 30 minutes, but an HR application should timeout if a user has been idle for more than 10 minutes.

This feature is not currently supported for Distributed Authentication and Cross Domain Single Sign-on scenarios

Requirements to use this feature are:

• Agents protecting the application must be configured to enforce URL policy decisions from Access Manager.

• Agents must be configured to run in self policy decision cache mode. See the following properties:

  • For web agents: com.sun.am.policy.am.fetch_from_root_resource

  • For J2EE agents: com.sun.identity.policy.client.cacheMode

• The Access Manager AMConfig.properties file must specify a policy component evaluation order such that Condition is evaluated last. See the following property:

  com.sun.identity.policy.Policy.policy_evaluation_weights

• The application access allowed by the agent based on a locally cached decision will not be known to the Condition on Access Manager. Therefore, the actual application idle timeout will be between the application idle timeout to the application idle timeout minus the agent cache duration.

To use this feature:

• Add an Authentication Scheme Condition to the policies protecting the application that requires the application specific session idle timeout.

• Specify the Application Name and Timeout Value in the Authentication Scheme Condition.

• Use the same Application Name and Time Out value in all the policies that apply to the resources for the application.

• Specify the Timeout Value in minutes. If the value is 0 or greater than the session idle timeout value specified in the session service, the value is ignored, and the timeout from session service will apply.

For example, consider a policy http://host.sample.com/hr/*, with this Authentication Scheme Condition:

• Authentication Scheme: LDAP

• Application Name: HR

• Timeout Value: 10

If there are multiple policies defined to protect resources of the HR application, you must add the Condition to all of the policies.

When a user in a distinct session attempts to access the HR application protected by the Access Manager agent, that user is prompted to authenticate for the LDAP scheme (if the user is not yet authenticated).

If the user has already authenticated to the LDAP scheme, that user is allowed access only if the time is less than 10 minutes since the time the last authentication or if the time is less than 10 minutes since that user's last access time to the HR application. Otherwise, the user is prompted to authenticate to the LDAP scheme again to access the application.

The Idle Session Timeout for a realm is configured for the highest value required by all applications. Shorter Idle Session Timeout requirements are enforced by the Policy Condition protecting the appropriate applications. However, if you define explicit "deny" policies to protect the application, it would break this protection. This is because the new the new Condition extends the idle timeout for the application, assuming that the access to the application is allowed if this Condition is satisfied. If the other "deny" policy is satisfied, the user can not access the application.

Application idle timeout of value 0 is treated as Integer.MAX_VALUE for the purposes of idle timeout enforcement.