Sun OpenSSO Enterprise 8.0 Installation and Configuration Guide

Chapter 14 Configuring OpenSSO Enterprise Sessions

Sun OpenSSO Enterprise session configuration includes:

For other session attributes that you can configure, refer to the OpenSSO Enterprise Console online Help.

Setting Session Quota Constraints

The session quota constraints feature allows OpenSSO Enterprise to limit users to a specific number of active, concurrent sessions. An OpenSSO Enterprise administrator can set session quota constraints at the following levels:

This section describes:

Deployment Scenarios for Session Quota Constraints

The following OpenSSO Enterprise deployments support session quota constraints:

In a session failover deployment, when a user attempts to log in, the OpenSSO Enterprise server receiving the session creation request first retrieves the session quota for the user from the OpenSSO Enterprise identity repository. Then, the OpenSSO Enterprise server fetches the session count for the user directly from the centralized session repository (accumulating all the sessions from all the OpenSSO Enterprise servers within the same site) and checks whether the session quota has been exhausted. If the session quota has been exhausted for the user, the OpenSSO Enterprise server takes action based on the configured session quota constraints options.

If session constraints are enabled in a session failover deployment and the session repository is not available, users (except superuser) are not allowed to log in.

In a session failover deployment, if an OpenSSO Enterprise instance is down, all the valid sessions previously hosted by that instance are still considered to be valid and are counted when the server determines the actual active session count for a given user. An OpenSSO Enterprise multiple server deployment that is not configured for session failover does not support session quota constraints.

Multiple Settings For Session Quotas

If a user has multiple settings for session quotas at different levels, OpenSSO Enterprise follows this precedence to determine the actual quota for the user:

For example, Ken is a member of both the marketing and management roles. Session quotas are defined as follows (all have the same conflict resolution level):

Ken's quota is 3.

Configuring Session Quota Constraints

To configure session quota constraints, the top-level OpenSSO Enterprise administrator (such as amAdmin) must set specific attributes in the OpenSSO Enterprise Console for one of the OpenSSO Enterprise instances in your deployment.

Note –

By default, the COS priority for realm is set to medium, which is a value of 3 in OpenSSO Enterprise. The OpenSSO Console doesn't support changing the priority for realm-level service attributes. The Console supports only changing the priority for role-level service attributes. Therefore, in the OpenSSO Console, you can change the role priority to either higher or lower than the realm priority, to get the session attributes from the either the realm or role level.

ProcedureTo Configure Session Quota Constraints

  1. Log in to OpenSSO Enterprise Console as amAdmin.

  2. Click Configuration, Global and then Session.

  3. On the Session page, set Enable Quota Constraints to ON.

    When this attribute is enabled, OpenSSO Enterprise enforces session quota constraints whenever a user attempts to log in as a new client and create a new session.

  4. On the Session page, for each session attribute, either accept the default value or set a value as required for your deployment.

    If you are configuring session property change notifications , see Configuring Session Property Change Notifications.

    Read Timeout for Quota Constraint

    Specifies the time in milliseconds that an inquiry to the session repository for the active user session counts continues before timing out. If the maximum wait time is reached due to the unavailability of the session repository, the session creation request is rejected. 

    Default: 6000 milliseconds 

    Resulting Behavior If Session Quota Exhausted

    Determines the behavior if a user exhausts the session constraint quota. This attribute takes effect only if Enable Quota Constraints is enabled. Values can be: 

    • DENY_ACCESS. OpenSSO Enterprise rejects the login request for a new session.

    • DESTROY_OLD_SESSION. OpenSSO Enterprise destroys the next expiring existing session for the same user and allows the new login request to succeed.


    Exempt Top-Level Admins From Constraint Checking

    Specifies whether session constraint quotas apply to the administrators who have the Top-level Admin Role. Takes effect only if the Enable Quota Constraints attribute is enabled. 

    Default: NO 

    The super user defined for OpenSSO Enterprise (com.sun.identity.authentication.super.user) is always exempt from session quota constraint checking.

    Deny User Login When Session Repository is Down

    Specifies whether a user can login if the session repository is down. Takes effect only if the Enable Quota Constraints attribute is enabled. 

    Default: NO 

    Maximum Session Time

    Specifies the time in minutes before a session expires and the user must re-authenticate to regain access. To balance the security requirements and convenience, consider setting the Max Session Time interval to a higher value and setting the Max Idle Time interval to a relatively low value. 

    Default: 120 minutes 

    Maximum Idle Time

    Specifies the idle time in minutes before a session expires and the user must re-authenticate to regain access. 

    Default: 30 minutes 

    Maximum Caching Time

    Specifies the time in minutes before a session contacts OpenSSO Enterprise to refresh cached session information. It is recommended that the Maximum Caching Time should always be less than the Maximum Idle Time. 

    Default: 3 minutes 

    Active User Sessions

    Specifies the maximum number of concurrent sessions for a user. 

    Default: 5 

  5. When you have finished setting attributes, click Save.

    If you reset any of these attributes, you must restart the server for the new values to take effect.

Configuring Session Property Change Notifications

The session property change notification feature causes OpenSSO Enterprise to send a notification to all registered listeners when a change occurs to a specific session property. This feature takes effect when Enable Property Change Notifications is enabled (ON) in the OpenSSO Enterprise Console.

For example, in a single sign-on (SSO) environment, one OpenSSO Enterprise session can be shared by multiple applications. When a change occurs on a specific session property defined in the “Notification Properties” list, OpenSSO Enterprise sends a notification to all registered listeners.

All client applications participating in the SSO automatically get the session notification if they are configured in the notification mode. The client cached sessions are automatically updated based on the new session state (including the change of any session property, if there is any).

An application that wants to take a specific action based on a session notification can write an implementation of the SSOTokenListener interface and then register the implementation through the SSOToken.addSSOTokenListener method. For more information, see the Sun OpenSSO Enterprise 8.0 Developer’s Guide.

ProcedureTo Configure Session Property Change Notifications

  1. Log in to the OpenSSO Enterprise Console as amAdmin.

  2. Click Configuration, Global and then Session.

  3. On the Session page, set Enable Property Change Notifications to ON.

  4. On the Session page, add properties to the Notification Properties list.

    This list specifies the properties that cause OpenSSO Enterprise to send a notification to registered listeners when a change to a property occurs.

    In New Value, add each property for which you want a notification sent when the property is changed, and then click Add.

  5. When you have finished adding properties to the list, click Save.