Previous Topic: Redirect a User after a Session Time-outNext Topic: Prevent Re-Challenges After Realm Timeouts When Multiple Valid Sessions Exist

Web Agent GuidesWeb Agent Configuration GuideSession ProtectionEnforce Timeouts across Multiple Realms

Enforce Timeouts across Multiple Realms

User session timeouts are governed by the realm that the user first logs into. If a user enters a new realm through single sign-on, the time-out values for the new realm are still governed by the session that was established by the initial login at the first realm. If you have different time-out values for different realms, and you want to have each realm use its own time-out values, you can override the time-outs of the original realm.

A user who has already timed out cannot log in to another realm without being rechallenged. For example, if the Idle Timeout in Realm1 is 15 minutes and the Idle Timeout in Realm2 is 30 minutes, a user who accumulates 20 idle minutes in Realm1 will be challenged upon logging in to Realm2.

To override the time-outs of the original realm, configure your Web Agent and realms as described in the following process:

  1. Set the value of the EnforceRealmTimeouts parameter to yes.
  2. Use the Administrative UI to do the following tasks:
    1. For each realm where you want to supersede the original time-outs (any realm that SSO functionality allows the user to access), do the following:
      • To override the Maximum Timeout value, create a response using the WebAgent-OnAuthAccept-Session-Max-Timeout response attribute.
      • To override the Idle Timeout value, create a response using the WebAgent-OnAuthAccept-Session-Idle-Timeout response attribute.
    2. Bind each of the previous responses to an OnAuthAccept rule.

    Note: For information about creating responses, see the Policy Server Configuration Guide.