November 24, 2017 at 11:54 pm #19709kpattanaParticipant
We are using AM 5.5.1 . Is it possible to set different session parameters (Idle Session TimeOut, Max session Time Out) per policy or policy-set instead of Realm level bi
KabiNovember 25, 2017 at 1:22 pm #19711Bill NelsonParticipant
Can you give a little more context on why you are trying to do this? Session parameters can be set globally, within a realm, or even for a specific user. There are other parameters that I would like to see set for a particular application, but I am not aware of a specific use case for wanting to do so at the application level.
billNovember 25, 2017 at 6:04 pm #19712kpattanaParticipant
Thanks Bill for looking at my questions.
By Application I meant protected web applications. We have 15 mins idle session time out for group of High and critical applications (finance.abc.com, payroll.abc.com) . While other applications can have 1 hr idle session time out. Each applications URL policies have a specific policy/ policy-set in OpenAM, but they are all under same realm. So looking for a way to configure policy specific session management.
You mentioned that session paramater can be set for a specific user. How this can be done ?
KabiNovember 28, 2017 at 1:45 pm #19735Andy CoryParticipant
To set session parameters for individual users, check out the iplanet-am-session-service. It’s documented by ForgeRock themselves, but this is a good blog on the subject -> http://azlabs.blogspot.co.uk/2015/05/data-store-ldap-user-attributes-and.html
Having different user groups with different timeouts makes sense (admin users vs normal users, maybe), but I’m not sure I understand the logic doing this on an application basis, even if it could be done (which I doubt). I understand your use case with critical vs regular applications, but trying to have a user’s session behave differently depending on which protected application he hits goes against the principal of single sign on. What would happen if a user spends 15 idle minutes in one of your critical applications, and therefore hits the idle timeout, and then goes to a non-critical one? Would he still be timed out? Or would the app expect his session to become valid again due to the higher timeout?
You must be logged in to reply to this topic.