Sun Java System Access Manager 7.1 Release Notes

Support for specific application idle session timeout values

Patch 1 allows different applications to have different session idle timeout values. In an enterprise, some applications might require session idle timeout values that are less than the session idle time out specified in the session service. For example, you have specified session the idle timeout value in the session service as 30 minutes, but an HR application should timeout if a user has been idle for more than 10 minutes.

This feature is not currently supported for Distributed Authentication and Cross Domain Single Sign-on scenarios

Requirements to use this feature are:

To use this feature:

For example, consider a policy*, with this Authentication Scheme Condition:

If there are multiple policies defined to protect resources of the HR application, you must add the Condition to all of the policies.

When a user in a distinct session attempts to access the HR application protected by the Access Manager agent, that user is prompted to authenticate for the LDAP scheme (if the user is not yet authenticated).

If the user has already authenticated to the LDAP scheme, that user is allowed access only if the time is less than 10 minutes since the time the last authentication or if the time is less than 10 minutes since that user's last access time to the HR application. Otherwise, the user is prompted to authenticate to the LDAP scheme again to access the application.

The Idle Session Timeout for a realm is configured for the highest value required by all applications. Shorter Idle Session Timeout requirements are enforced by the Policy Condition protecting the appropriate applications. However, if you define explicit "deny" policies to protect the application, it would break this protection. This is because the new the new Condition extends the idle timeout for the application, assuming that the access to the application is allowed if this Condition is satisfied. If the other "deny" policy is satisfied, the user can not access the application.

Application idle timeout of value 0 is treated as Integer.MAX_VALUE for the purposes of idle timeout enforcement.