Sun OpenSSO Enterprise 8.0 Installation and Configuration Guide

Configuring Session Quota Constraints

To configure session quota constraints, the top-level OpenSSO Enterprise administrator (such as amAdmin) must set specific attributes in the OpenSSO Enterprise Console for one of the OpenSSO Enterprise instances in your deployment.

Note –

By default, the COS priority for realm is set to medium, which is a value of 3 in OpenSSO Enterprise. The OpenSSO Console doesn't support changing the priority for realm-level service attributes. The Console supports only changing the priority for role-level service attributes. Therefore, in the OpenSSO Console, you can change the role priority to either higher or lower than the realm priority, to get the session attributes from the either the realm or role level.

ProcedureTo Configure Session Quota Constraints

  1. Log in to OpenSSO Enterprise Console as amAdmin.

  2. Click Configuration, Global and then Session.

  3. On the Session page, set Enable Quota Constraints to ON.

    When this attribute is enabled, OpenSSO Enterprise enforces session quota constraints whenever a user attempts to log in as a new client and create a new session.

  4. On the Session page, for each session attribute, either accept the default value or set a value as required for your deployment.

    If you are configuring session property change notifications , see Configuring Session Property Change Notifications.

    Read Timeout for Quota Constraint

    Specifies the time in milliseconds that an inquiry to the session repository for the active user session counts continues before timing out. If the maximum wait time is reached due to the unavailability of the session repository, the session creation request is rejected. 

    Default: 6000 milliseconds 

    Resulting Behavior If Session Quota Exhausted

    Determines the behavior if a user exhausts the session constraint quota. This attribute takes effect only if Enable Quota Constraints is enabled. Values can be: 

    • DENY_ACCESS. OpenSSO Enterprise rejects the login request for a new session.

    • DESTROY_OLD_SESSION. OpenSSO Enterprise destroys the next expiring existing session for the same user and allows the new login request to succeed.


    Exempt Top-Level Admins From Constraint Checking

    Specifies whether session constraint quotas apply to the administrators who have the Top-level Admin Role. Takes effect only if the Enable Quota Constraints attribute is enabled. 

    Default: NO 

    The super user defined for OpenSSO Enterprise (com.sun.identity.authentication.super.user) is always exempt from session quota constraint checking.

    Deny User Login When Session Repository is Down

    Specifies whether a user can login if the session repository is down. Takes effect only if the Enable Quota Constraints attribute is enabled. 

    Default: NO 

    Maximum Session Time

    Specifies the time in minutes before a session expires and the user must re-authenticate to regain access. To balance the security requirements and convenience, consider setting the Max Session Time interval to a higher value and setting the Max Idle Time interval to a relatively low value. 

    Default: 120 minutes 

    Maximum Idle Time

    Specifies the idle time in minutes before a session expires and the user must re-authenticate to regain access. 

    Default: 30 minutes 

    Maximum Caching Time

    Specifies the time in minutes before a session contacts OpenSSO Enterprise to refresh cached session information. It is recommended that the Maximum Caching Time should always be less than the Maximum Idle Time. 

    Default: 3 minutes 

    Active User Sessions

    Specifies the maximum number of concurrent sessions for a user. 

    Default: 5 

  5. When you have finished setting attributes, click Save.

    If you reset any of these attributes, you must restart the server for the new values to take effect.