The session quota constraints feature allows OpenSSO Enterprise to limit users to a specific number of active, concurrent sessions. An OpenSSO Enterprise administrator can set session quota constraints at the following levels:
Globally. Constraints apply to all users.
To an entity (organization or realm, role, or user). Constraints apply only to the specific users that belong to the entity.
This section describes:
The following OpenSSO Enterprise deployments support session quota constraints:
OpenSSO Enterprise single server deployment
In this scenario, OpenSSO Enterprise is deployed on a single host server. OpenSSO Enterprise maintains the active session counts in memory for all logged in users. When a user attempts to log in to the server, OpenSSO Enterprise checks whether the number of the valid sessions for the user exceeds the session quota and then takes action based on the configured session quota constraints options.
OpenSSO Enterprise session failover deployment
In this scenario, multiple instances of OpenSSO Enterprise are deployed on different host servers in a session failover configuration. The OpenSSO Enterprise instances are configured for session failover using Sun Java System Message Queue (Message Queue) as the communications broker and the Oracle Berkeley DB as the session store database. For more information about OpenSSO Enterprise session failover, see Chapter 8, Implementing OpenSSO Enterprise Session Failover.
In a session failover deployment, when a user attempts to log in, the OpenSSO Enterprise server receiving the session creation request first retrieves the session quota for the user from the OpenSSO Enterprise identity repository. Then, the OpenSSO Enterprise server fetches the session count for the user directly from the centralized session repository (accumulating all the sessions from all the OpenSSO Enterprise servers within the same site) and checks whether the session quota has been exhausted. If the session quota has been exhausted for the user, the OpenSSO Enterprise server takes action based on the configured session quota constraints options.
If session constraints are enabled in a session failover deployment and the session repository is not available, users (except superuser) are not allowed to log in.
In a session failover deployment, if an OpenSSO Enterprise instance is down, all the valid sessions previously hosted by that instance are still considered to be valid and are counted when the server determines the actual active session count for a given user. An OpenSSO Enterprise multiple server deployment that is not configured for session failover does not support session quota constraints.
If a user has multiple settings for session quotas at different levels, OpenSSO Enterprise follows this precedence to determine the actual quota for the user:
user (highest)
role/organization/realm (based on the conflict resolution levels)
global (lowest)
For example, Ken is a member of both the marketing and management roles. Session quotas are defined as follows (all have the same conflict resolution level):
organization - 1
marketing role - 2
management role - 4
user Ken - 3
Ken's quota is 3.
To configure session quota constraints, the top-level OpenSSO Enterprise administrator (such as amAdmin) must set specific attributes in the OpenSSO Enterprise Console for one of the OpenSSO Enterprise instances in your deployment.
By default, the COS priority for realm is set to medium, which is a value of 3 in OpenSSO Enterprise. The OpenSSO Console doesn't support changing the priority for realm-level service attributes. The Console supports only changing the priority for role-level service attributes. Therefore, in the OpenSSO Console, you can change the role priority to either higher or lower than the realm priority, to get the session attributes from the either the realm or role level.
Log in to OpenSSO Enterprise Console as amAdmin.
Click Configuration, Global and then Session.
On the Session page, set Enable Quota Constraints to ON.
When this attribute is enabled, OpenSSO Enterprise enforces session quota constraints whenever a user attempts to log in as a new client and create a new session.
On the Session page, for each session attribute, either accept the default value or set a value as required for your deployment.
If you are configuring session property change notifications , see Configuring Session Property Change Notifications.
When you have finished setting attributes, click Save.
If you reset any of these attributes, you must restart the server for the new values to take effect.