|
|
|
The shared session model lets a consumer to share a single session with the producer. This provides users with a seamless session when they access resources at the producer and consumer because information about the users' activities and log outs is transmitted between the producer and the consumer.
With a shared session model, a central session for the user is created and stored at the producer. The consumer interacts with the producer to determine whether the session is valid or whether it has to be terminated. For the consumer and the producer to share a session, the consumer must periodically go back to the producer to check that the session is active. The frequency that the consumer checks for an active session is configurable and depends on the security relationship between the producer and consumer.
When shared sessions are used, sessions on the affiliate expire after all of the following time intervals elapse:
Shared sessions offer the following benefits:
Allows users to logout from any consumer or the producer. If a user logs out at one consumer but is still valid at other consumers, the user’s session at the producer is terminated. When the user visits other consumers, the user is rechallenged for credentials. This establishes an additional level of security across domains in a federated network.
Allows access to a resource at the consumer or the producer and the session remains active until you exceed the MaxTimeoutEnabled value set at the producer. This value is set in a realm’s session properties.
Each time the consumer checks for an active session, SiteMinder updates the time stamp at the producer so the producer does not log the user out. The session server checks the timestamp and terminates any sessions that have expired. This improves the user experience because they do not have to reauthenticate often.
If the producer tells the consumer that the session is not valid, then the user must log back in and be reauthenticated.
Persistent sessions are validated by the Policy Server only when the Validation Period (Drift) value is greater than zero but less than the value of the idle timeout period. The Web Agent will not redirect the user to the idle timeout URL. The user will be re-challenged without being re-directed to the idle timeout URL.
| Copyright © 2011 CA. All rights reserved. | Email CA Technologies about this topic |