Application Specific Session time out

Tagged: 

This topic contains 3 replies, has 3 voices, and was last updated by  Andy Cory 2 weeks, 2 days ago.

  • Author
    Posts
  • #19709
     kpattana 
    Participant

    We are using AM 5.5.1 . Is it possible to set different session parameters (Idle Session TimeOut, Max session Time Out) per policy or policy-set instead of Realm level bi

    Thanks,
    Kabi

    #19711
     Bill Nelson 
    Participant

    Hi @kpattana,

    Can you give a little more context on why you are trying to do this? Session parameters can be set globally, within a realm, or even for a specific user. There are other parameters that I would like to see set for a particular application, but I am not aware of a specific use case for wanting to do so at the application level.

    Thanks,

    bill

    #19712
     kpattana 
    Participant

    Thanks Bill for looking at my questions.

    By Application I meant protected web applications. We have 15 mins idle session time out for group of High and critical applications (finance.abc.com, payroll.abc.com) . While other applications can have 1 hr idle session time out. Each applications URL policies have a specific policy/ policy-set in OpenAM, but they are all under same realm. So looking for a way to configure policy specific session management.

    You mentioned that session paramater can be set for a specific user. How this can be done ?

    Thanks,
    Kabi

    #19735
     Andy Cory 
    Participant

    Hi Kabi

    To set session parameters for individual users, check out the iplanet-am-session-service. It’s documented by ForgeRock themselves, but this is a good blog on the subject -> http://azlabs.blogspot.co.uk/2015/05/data-store-ldap-user-attributes-and.html

    Having different user groups with different timeouts makes sense (admin users vs normal users, maybe), but I’m not sure I understand the logic doing this on an application basis, even if it could be done (which I doubt). I understand your use case with critical vs regular applications, but trying to have a user’s session behave differently depending on which protected application he hits goes against the principal of single sign on. What would happen if a user spends 15 idle minutes in one of your critical applications, and therefore hits the idle timeout, and then goes to a non-critical one? Would he still be timed out? Or would the app expect his session to become valid again due to the higher timeout?

    -Andy

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.

©2017 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?