Federation Guides › Legacy Federation Guide › Configure a SAML 1.x Producer › Setting Up Sessions for a SAML Affiliate Agent Consumer (optional)

Setting Up Sessions for a SAML Affiliate Agent Consumer (optional)

To configure sessions for a site using the SAML Affiliate Agent as the consumer, be aware of the following information:

• Session management is configured only if the SAML Affiliate Agent is acting as a SAML consumer. The SAML credential collector does not support this feature.
• The SAML Affiliate Agent does not support the SAML POST profile. Sessions can only be used with the SAML artifact profile.

Session management between a producer and a SAML Affiliate Agent can be handled in one of three ways:

Default

Producer and SAML Affiliate Agent maintain separate sessions.

Both the producer and the SAML Affiliate Agent establish sessions for the user. If a user idles out or the user reaches a timeout at the producer, the SAML Affiliate Agent is not notified. The same is true for a session that expires at the SAML Affiliate Agent.

Active

An active session is required at the producer.

Both the producer and SAML Affiliate Agent establish sessions. An active session is required at the producer for the SAML Affiliate Agent session to stay active. Producer sessions can remain active after a SAML Affiliate Agent session is terminated.

Shared

Producer and SAML Affiliate Agent maintain shared sessions.

If the SAML Affiliate Agent has implemented a shared-session model, the producer and the SAML Affiliate Agent can maintain a shared session. If the producer session expires or the user logs out at either site, the producer or the SAML Affiliate Agent terminate the sessions.

Note: For more information about session management, see the SAML Affiliate Agent Guide.

Configure a Default or Active Session Model

For the Default and Active session models, no specific configuration is required at the Producer. The configuration takes place at the SAML Affiliate Agent.

Configure a Shared Session Model

Shared sessions require a few steps to configure.

Follow these steps:

1. Navigate to Assertion settings.
2. Select the Shared Sessioning check box in the Session section.
3. Enter a value in the Sync Interval Second(s) field.

Sharing session information between the Producer and the SAML Affiliate Agent is enabled.

More Information:

Set the Sync Interval for Shared Sessions

Set the Sync Interval for Shared Sessions

The sync interval defines the frequency at which the SAML Affiliate Agent contacts the producer to validate session status. The SAML Affiliate Agent learns the value of the sync interval from the assertion.

The sync interval helps ensure that the information at the session store and the information in the SAML Affiliate Agent is synchronized. For example, imagine that the sync interval is 2 minutes, and the user logs out at the producer at 4:00PM. The consumer session cookies do not become invalid until 4:02PM.

Note: The SAML Affiliate Agent does not automatically contact the producer only because of the value of the sync interval. The user has to be active at the consumer--that is, the user is requesting consumer resources.

Two factors affect the value of Sync Interval:

• If the value of Sync Interval is too small, the SAML Affiliate Agent keeps calling the session store. The continual calls slow down performance.
• The value must not be larger than 1/2 the lowest Idle Timeout Enabled value that is set for the realm where the user logs in. The Idle Timeout Enabled field is part of the session configuration for the realm.

Note: If the user visits the SAML Affiliate Agent before logging in at the producer, the user is redirected to a URL at the producer. This URL is referred to as the PortalQueryURL.