Sun Java System Access Manager 7.1 Postinstallation Guide

Setting Session Quota Constraints

The session quota constraints feature allows Access Manager to limit users to a specific number of active, concurrent sessions based on configurable attributes. An Access Manager administrator can set session quota constraints at the following levels:

Deployment Scenarios for Session Quota Constraints

The following Access Manager deployments support session quota constraints:

In a session failover deployment, when a user attempts to log in, the Access Manager server receiving the session creation request first retrieves the session quota for the user from the Access Manager identity repository. Then, the Access Manager server fetches the session count for the user directly from the centralized session repository (accumulating all the sessions from all the Access Manager servers within the same site) and checks whether the session quota has been exhausted. If the session quota has been exhausted for the user, the Access Manager server takes action based on the configured session quota constraints options.

If session constraints are enabled in a session failover deployment and the session repository is not available, users (except superuser) are not allowed to log in.

In a session failover deployment, if an Access Manager instance is down, all the valid sessions previously hosted by that instance are still considered to be valid and are counted when the server determines the actual active session count for a given user. An Access Manager multiple server deployment that is not configured for session failover does not support session quota constraints.

Multiple Settings For Session Quotas

If a user has multiple settings for session quotas at different levels, Access Manager follows this precedence to determine the actual quota for the user:

For example, Ken is a member of both the marketing and management roles. Session quotas are defined as follows (all have the same conflict resolution level):

Ken's quota is 3.

For more information about the session quota constraints attributes, see the Access Manager Console online help.

Configuring Session Quota Constraints

To configure session quota constraints, the top-level Access Manager administrator (such as amAdmin) must set specific attributes in the Access Manager Console for one of the Access Manager instances in your deployment.

ProcedureTo Configure Session Quota Constraints

  1. Log in to Access Manager Console as a top-level Access Manager administrator (such as amAdmin) .

  2. Set the following attributes in the Access Manager Console for one of the Access Manager instances.

    Enable Quota Constraints is a global attribute that enables or disables the session quota constraints feature. If this attribute is enabled, Access Manager enforces session quota constraints whenever a user attempts to logs in via a new client (and thus create a new session).

    The default is disabled (OFF).

    Read Timeout for Quota Constraint defines the time in milliseconds that an inquiry to the session repository for the active user session counts continues before timing out. If the maximum wait time is reached due to the unavailability of the session repository, the session creation request is rejected.

    The default is 6000 milliseconds.

    Resulting Behavior If Session Quota Exhausted determines the behavior if a user exhausts the session constraint quota. This attribute takes effect only if the “Enable Quota Constraints” attribute is enabled. Values can be:

    • DENY_ACCESS. Access Manager rejects the login request for a new session.

    • DESTROY_OLD_SESSION. Access Manager destroys the next expiring existing session for the same user and allows the new login request to succeed.

    The default is DESTROY_OLD_SESSION.

    Exempt Top-Level Admins From Constraint Checking specifies whether session constraint quotas apply to the administrators who have the Top-level Admin Role. This attribute takes effect only if the “Enable Quota Constraints” attribute is enabled.

    The default is NO.

    The super user defined for Access Manager in the file (com.sun.identity.authentication.super.user) is always exempt from session quota constraint checking.

    Active User Sessions defines the maximum number of concurrent sessions for a user. Access Manager includes both a dynamic attribute and a user attribute, with same attribute name.

    The default is 5.

    Note –

    If you reset any of these attributes, you must restart the server for the new value to take effect.

  3. When you have finished click Save.