Chapter 14 Configuring OpenSSO Enterprise Sessions

Sun OpenSSO Enterprise session configuration includes:

• Setting Session Quota Constraints

• Configuring Session Property Change Notifications

For other session attributes that you can configure, refer to the OpenSSO Enterprise Console online Help.

Setting Session Quota Constraints

The session quota constraints feature allows OpenSSO Enterprise to limit users to a specific number of active, concurrent sessions. An OpenSSO Enterprise administrator can set session quota constraints at the following levels:

• Globally. Constraints apply to all users.

• To an entity (organization or realm, role, or user). Constraints apply only to the specific users that belong to the entity.

This section describes:

• Deployment Scenarios for Session Quota Constraints

• Multiple Settings For Session Quotas

• Configuring Session Quota Constraints

Deployment Scenarios for Session Quota Constraints

The following OpenSSO Enterprise deployments support session quota constraints:

• OpenSSO Enterprise single server deployment

  In this scenario, OpenSSO Enterprise is deployed on a single host server. OpenSSO Enterprise maintains the active session counts in memory for all logged in users. When a user attempts to log in to the server, OpenSSO Enterprise checks whether the number of the valid sessions for the user exceeds the session quota and then takes action based on the configured session quota constraints options.

• OpenSSO Enterprise session failover deployment

  In this scenario, multiple instances of OpenSSO Enterprise are deployed on different host servers in a session failover configuration. The OpenSSO Enterprise instances are configured for session failover using Sun Java System Message Queue (Message Queue) as the communications broker and the Oracle Berkeley DB as the session store database. For more information about OpenSSO Enterprise session failover, see Chapter 8, Implementing OpenSSO Enterprise Session Failover.

In a session failover deployment, when a user attempts to log in, the OpenSSO Enterprise server receiving the session creation request first retrieves the session quota for the user from the OpenSSO Enterprise identity repository. Then, the OpenSSO Enterprise server fetches the session count for the user directly from the centralized session repository (accumulating all the sessions from all the OpenSSO Enterprise servers within the same site) and checks whether the session quota has been exhausted. If the session quota has been exhausted for the user, the OpenSSO Enterprise server takes action based on the configured session quota constraints options.

If session constraints are enabled in a session failover deployment and the session repository is not available, users (except superuser) are not allowed to log in.

In a session failover deployment, if an OpenSSO Enterprise instance is down, all the valid sessions previously hosted by that instance are still considered to be valid and are counted when the server determines the actual active session count for a given user. An OpenSSO Enterprise multiple server deployment that is not configured for session failover does not support session quota constraints.

Multiple Settings For Session Quotas

If a user has multiple settings for session quotas at different levels, OpenSSO Enterprise follows this precedence to determine the actual quota for the user:

• user (highest)

• role/organization/realm (based on the conflict resolution levels)

• global (lowest)

For example, Ken is a member of both the marketing and management roles. Session quotas are defined as follows (all have the same conflict resolution level):

• organization - 1

• marketing role - 2

• management role - 4

• user Ken - 3

Ken's quota is 3.

Configuring Session Quota Constraints

To configure session quota constraints, the top-level OpenSSO Enterprise administrator (such as amAdmin) must set specific attributes in the OpenSSO Enterprise Console for one of the OpenSSO Enterprise instances in your deployment.

By default, the COS priority for realm is set to medium, which is a value of 3 in OpenSSO Enterprise. The OpenSSO Console doesn't support changing the priority for realm-level service attributes. The Console supports only changing the priority for role-level service attributes. Therefore, in the OpenSSO Console, you can change the role priority to either higher or lower than the realm priority, to get the session attributes from the either the realm or role level.

To Configure Session Quota Constraints

1. Log in to OpenSSO Enterprise Console as amAdmin.

2. Click Configuration, Global and then Session.

3. On the Session page, set Enable Quota Constraints to ON.

   When this attribute is enabled, OpenSSO Enterprise enforces session quota constraints whenever a user attempts to log in as a new client and create a new session.

4. On the Session page, for each session attribute, either accept the default value or set a value as required for your deployment.

   If you are configuring session property change notifications , see Configuring Session Property Change Notifications.

   Read Timeout for Quota Constraint	Specifies the time in milliseconds that an inquiry to the session repository for the active user session counts continues before timing out. If the maximum wait time is reached due to the unavailability of the session repository, the session creation request is rejected.  Default: 6000 milliseconds
   Resulting Behavior If Session Quota Exhausted	Determines the behavior if a user exhausts the session constraint quota. This attribute takes effect only if Enable Quota Constraints is enabled. Values can be:  DENY_ACCESS. OpenSSO Enterprise rejects the login request for a new session. DESTROY_OLD_SESSION. OpenSSO Enterprise destroys the next expiring existing session for the same user and allows the new login request to succeed. Default: DESTROY_OLD_SESSION
   Exempt Top-Level Admins From Constraint Checking	Specifies whether session constraint quotas apply to the administrators who have the Top-level Admin Role. Takes effect only if the Enable Quota Constraints attribute is enabled.  Default: NO  The super user defined for OpenSSO Enterprise (com.sun.identity.authentication.super.user) is always exempt from session quota constraint checking.
   Deny User Login When Session Repository is Down	Specifies whether a user can login if the session repository is down. Takes effect only if the Enable Quota Constraints attribute is enabled.  Default: NO
   Maximum Session Time	Specifies the time in minutes before a session expires and the user must re-authenticate to regain access. To balance the security requirements and convenience, consider setting the Max Session Time interval to a higher value and setting the Max Idle Time interval to a relatively low value.  Default: 120 minutes
   Maximum Idle Time	Specifies the idle time in minutes before a session expires and the user must re-authenticate to regain access.  Default: 30 minutes
   Maximum Caching Time	Specifies the time in minutes before a session contacts OpenSSO Enterprise to refresh cached session information. It is recommended that the Maximum Caching Time should always be less than the Maximum Idle Time.  Default: 3 minutes
   Active User Sessions	Specifies the maximum number of concurrent sessions for a user.  Default: 5

5. When you have finished setting attributes, click Save.

   If you reset any of these attributes, you must restart the server for the new values to take effect.

Configuring Session Property Change Notifications

The session property change notification feature causes OpenSSO Enterprise to send a notification to all registered listeners when a change occurs to a specific session property. This feature takes effect when Enable Property Change Notifications is enabled (ON) in the OpenSSO Enterprise Console.

For example, in a single sign-on (SSO) environment, one OpenSSO Enterprise session can be shared by multiple applications. When a change occurs on a specific session property defined in the “Notification Properties” list, OpenSSO Enterprise sends a notification to all registered listeners.

All client applications participating in the SSO automatically get the session notification if they are configured in the notification mode. The client cached sessions are automatically updated based on the new session state (including the change of any session property, if there is any).

An application that wants to take a specific action based on a session notification can write an implementation of the SSOTokenListener interface and then register the implementation through the SSOToken.addSSOTokenListener method. For more information, see the Sun OpenSSO Enterprise 8.0 Developer’s Guide.

To Configure Session Property Change Notifications

1. Log in to the OpenSSO Enterprise Console as amAdmin.

2. Click Configuration, Global and then Session.

3. On the Session page, set Enable Property Change Notifications to ON.

4. On the Session page, add properties to the Notification Properties list.

   This list specifies the properties that cause OpenSSO Enterprise to send a notification to registered listeners when a change to a property occurs.

   In New Value, add each property for which you want a notification sent when the property is changed, and then click Add.

5. When you have finished adding properties to the list, click Save.