Session

The Session service defines values for an authenticated user session such as maximum session time and maximum idle time. The Session attributes are global, dynamic, or user attributes. The attributes are:

• Secondary Configuration Instance

• Maximum Number of Search Results

• Timeout for Search

• Enable Property Change Notifications

• Enable Quota Constraints

• Read Timeout for Quota Constraint

• Exempt Top-Level Admins From Constraint Checking

• Resulting Behavior If Session Quota Exhausted

• Deny User Login When Session Repository is Down

• Notification Properties

• Enable Session Trimming

• Maximum Session Time

• Maximum Idle Time

• Maximum Caching Time

• Active User Sessions

Secondary Configuration Instance

Provides the connection information for the session repository used for the session failover functionality in OpenSSO Enterprise. The URL of the load balancer should be given as the identifier to this secondary configuration. If the secondary configuration is defined in this case, the session failover feature will be automatically enabled and become effective after the server restart.

To Add a Sub Configuration

1. Click New in the Secondary Configuration Instance list.

2. Enter a name for the new Sub Configuration.

3. Enter data for the following fields:

   Session Store User

   Defines the database user who is used to retrieve and store the session data.

   Session Store Password

   Defines the password for the database user defined in Session Store.

   Session Store Password (Confirm)

   Confirm the password.

   Maximum Wait Time

   Defines the total time a thread is willing to wait for acquiring a database connection object. The value is in milliseconds.

   Database URL

   Specifies the URL of the database.

4. Click Add.

Maximum Number of Search Results

This attribute specifies the maximum number of results returned by a session search. The default value is 120.

Timeout for Search

This attributed defines the maximum amount of time before a session search terminates. The default value is 5 seconds.

Enable Property Change Notifications

Enables or disables the feature session property change notification. In a single sign-on environment, one OpenSSO Enterprise session can be shared by multiple applications. If this feature is set to ON, if one application changes any of the session properties specified in the Notification Properties list (defined as a separate session service attribute), the notification will be sent to other applications participating in the same single sign-on environment.

Enable Quota Constraints

Enables or disables session quota constraints. The enforcement of session quota constraints enables administrators to limit a user to have a specific number of active/concurrent sessions based on the constraint settings at the global level, or the configurations associated with the entities (realm/role/user) to which this particular user belongs.

The default setting for this attribute is OFF. You must restart the server if the settings are changed.

Read Timeout for Quota Constraint

Defines the amount of time (in number of milliseconds) that an inquiry to the session repository for the live user session counts will continue before timing out.

After the maximum read time is reached, an error is returned. This attribute will take effect only when the session quota constraint is enabled in the session failover deployment. The default value is 6000 milliseconds. You must restart the server if the settings are changed.

Exempt Top-Level Admins From Constraint Checking

Specifies whether the users with the Top-level Admin Role should be exempt from the session constraint checking. If YES, even though the session constraint is enabled, there will be no session quota checking for these administrators.

The default setting for this attribute is NO. You must restart the server if the settings are changed. This attribute will take effect only when the session quota constraint is enabled.

Resulting Behavior If Session Quota Exhausted

Specifies the resulting behavior when the user session quota is exhausted. There are two selectable options for this attribute:

DESTROY_OLD_SESSION

The next expiring session will be destroyed.

DENY_ACCESS

The new session creation request will be denied.

This attribute will take effect only when the session quota constraint is enabled and the default setting is DESTROY_OLD_SESSION .

Deny User Login When Session Repository is Down

If set to YES, this attribute will enforce user lockout to the server when the session repository is down. This attribute takes effect only when the session Enable Quota Constrain is selected.

Notification Properties

When a change occurs on a session property defined in the list, the notification will be sent to the registered listeners. The attribute will take effect when the feature of Session Property Change Notification is enabled.

Enable Session Trimming

When set to YES, a minimum set of session properties are stored by the server between the session timeout and purge delay states. This is used to improve memory performance. The following properties are stored:

• loginURL

• SessionTimedOut

• SAML2IDPSessionIndex

• SAML2IDPSessionIndex

If set to OFF, then all session-related attributes are stored by OpenSSO Enterprise after a session timeout.

Maximum Session Time

This attribute accepts a value in minutes to express the maximum time before the session expires and the user must reauthenticate to regain access. A value of 1 or higher will be accepted. The default value is 120. (To balance the requirements of security and convenience, consider setting the Max Session Time interval to a higher value and setting the Max Idle Time interval to a relatively low value.) Max Session Time limits the validity of the session. It does not get extended beyond the configured value.

Maximum Idle Time

This attribute accepts a value (in minutes) equal to the maximum amount of time without activity before a session expires and the user must reauthenticate to regain access. A value of 1 or higher will be accepted. The default value is 30. (To balance the requirements of security and convenience, consider setting the Max Session Time interval to a higher value and setting the Max Idle Time interval to a relatively low value.)

Maximum Caching Time

This attribute accepts a value (in minutes) equal to the maximum interval before the client contacts OpenSSO Enterprise to refresh cached session information. A value of 0 or higher will be accepted. The default value is 3. It is recommended that the maximum caching time should always be less than the maximum idle time.

Active User Sessions

Specifies the maximum number of concurrent sessions allowed for a user.