server/session

Specifies the configuration for client sessions.

Properties

NameTypeConstraintsDescription
cookie_namestringDefault value: PD-S-SESSION-IDThe name of the session cookie presented to clients.
max_sessionsnumberMinimum: 1

Maximum: unlimited

Default value: 4096
The maximum number of concurrent sessions.
timeoutnumberMinimum: 0

Maximum: unlimited

Default value: 3600
The maximum lifetime (in seconds) for a session. If set to 0 the sessions will not have a maximum lifetime, however once max_sessions is reached sessions will be reaped using a least recently used algorithm.
inactive_timeoutnumberMinimum: 0

Maximum: unlimited

Default value: 600
The maximum lifetime (in seconds) a session can remain inactive before it is expired. If set to 0 the sessions will not have a maximum inactive lifetime.
permit_user_switchingbooleanValues: true or false

Default value: false
During an obligated re-authentication, depending on the policy and identity provider a different user credential may be returned to the application gateway. By default, the application gateway will not accept a credential if the user name does not match the user which the session was originally established for. Use this entry to change the behaviour and allow the application gateway to accept a credential containing a different user name during re-authentication.
redisredis

server/session/redis

Specifies the configuration for distributed sessions using a Redis environment.

Properties

NameTypeConstraintsDescription
key_prefixstringThe key prefix for all data which is stored on the Redis server.
default_collectionstringThe name of the default collection of Redis servers to be used.
client_list_cache_lifetimenumberMinimum: 0

Maximum: unlimited

Default value: 10
The server needs to manually delete stale entries from the Redis cache during session creation and idle timeout events. In order to be able to delete the stale entries it needs an up-to-date list of active clients of the Redis server (using the CLIENT LIST Redis command). This command, depending on the number of clients which are registered with the Redis server, can be expensive and so IAG will cache and reuse the returned list of clients for a small period of time. This configuration entry controls the length of time, in seconds, that a client list will be cached.
concurrent_sessionsconcurrent_sessions
collectionsArray of collections

server/session/redis/concurrent_sessions

Specifies the configuration information associated with the tracking and management of concurrent user sessions.

Properties

NameTypeConstraintsDescription
enabledbooleanValues: true or false

Default value: true
Is concurrent user session tracking and management enabled?
prompt_for_displacementbooleanValues: true or false

Default value: true
If enabled the gateway will prompt users before automatically displacing existing sessions with the same user identity. If disabled the gateway will automatically log out the existing user session.
max_user_sessionsnumberMinimum: -1

Maximum: unlimited

Default value: 0
The maximum number of concurrent sessions which are allowed for a single user. A value of 0 indicates that an unlimited number of sessions are allowed, and a value of -1 indicates that only a single session is allowed for the user and that any existing sessions will be displaced by the new session. The maximum number of user sessions for a particular session can also be defined using the tagvalue_max_concurrent_web_sessions attribute of the credential.
user_identity_attribute_namestringDefault value: AZN_CRED_PRINCIPAL_NAMEThe name of the credential attribute which holds the unique user identity for the session. If the configured attribute does not exist in the credential the default user identity of unknown will be used.

server/session/redis/collections[]

Used to define the configuration for a collection of replicated Redis servers.

Properties

NameTypeConstraintsDescription
namestringThe name of the redis collection.
matching_hoststringAny specific hosts (obtained from the Host header of the HTTP request) for which this collection should be used.
max_pooled_connectionsnumberMinimum: 0

Maximum: unlimited

Default value: 50
The maximum number of pooled connections to a Redis server.
idle_timeoutnumberMinimum: 0

Maximum: unlimited

Default value: 10
The maximum number of seconds a pooled connection can remain idle before the connection is closed.
connect_timeoutnumberMinimum: 0

Maximum: unlimited

Default value: 2
The maximum number of seconds to wait for a connection to be established with a Redis server.
io_timeoutnumberMinimum: 0

Maximum: unlimited

Default value: 30
The maximum number of seconds to wait for a valid response from a Redis server.
health_check_intervalnumberMinimum: 1

Maximum: unlimited

Default value: 10
The interval (in seconds) between health check requests sent to the Redis server.
cross_domain_supportcross_domain_support
serversArray of servers

server/session/redis/collections[]/cross_domain_support

Specifies the configuration information associated with the sharing of sessions across multiple DNS domains.

Properties

NameTypeConstraintsDescription
master_authn_server_urlstringThe base URL of the master authentication server for this collection of Redis servers. The master authentication server, if specified, will be responsible for the generation of all new sessions for this collection. The entry should be of the format: http{s}://server{:port}.
master_session_code_lifetimenumberMinimum: 1

Maximum: unlimited

Default value: 30
The maximum number of seconds that a session code, used when communicating the session information from the master authentication server, will remain valid.

server/session/redis/collections[]/servers[]

Used to define the configuration for the individual Redis servers within the collection.

Properties

NameTypeConstraintsDescription
namestringA label, or name, which is used to identify this server.
hoststringThe server name or IP address of the Redis server.
portnumberMinimum: 1

Maximum: unlimited

Default value: 6379
The port on which the Redis server is listening for requests.
usernamestringThe name of the user which is used when authenticating to the Redis server.
passwordstringThe password which is used to access the Redis server.
sslssl

server/session/redis/collections[]/servers[]/ssl

The SSL information associated with the Redis server.

Properties

NameTypeConstraintsDescription
trust_certificatesArray of stringThe PEM based certificates which are to be trusted when communicating with the Redis server. The trusted certificates should include the CA certificate for the Redis server certificate, as well as any intermediate certificates used to sign the client certificate (if mutual authentication is in use). SSL/TLS will not be used when communicating with the Redis server if no trust certificates are specified.
client_certificateArray of stringThe PEM based personal certificate files which will be used when performing mutual authentication with the resource server. These certificate files should include the private key, a certificate signed with the private key, and the signer certificate or signer certificate chain (if required).
snistringThe Server Name Indication (SNI) value which is provided when establishing the SSL connection with the Redis server.

Example

server:
  session:
    cookie_name: sess_cookie
    max_sessions: 20
    timeout: 600
    inactive_timeout: 100
    redis:
      key_prefix: "iag-"
      default_collection: test-collection
      client_list_cache_lifetime: 10

      concurrent_sessions:
        enabled: true
        prompt_for_displacement: true
        max_user_sessions: 15
        user_identity_attribute_name: AZN_CRED_PRINCIPAL_NAME

      collections:
        - name: "test-collection"
          matching_host: "www.webseal.ibm.com"
          max_pooled_connections: 50
          idle_timeout: 10
          connect_timeout: 2
          io_timeout: 30
          health_check_interval: 15
          cross_domain_support:
            master_authn_server_url: "https://mas.ibm.com"
            master_session_code_lifetime: 30
          servers:
            - name: "redis-a"
              host: "redis-a.ibm.com"
              port: 6379
              username: "testuser"
              password: "passw0rd"
              ssl:
                trust_certificates:
                  - "@redis-ca.crt"
                client_certificate:
                  - "@cert.crt"
                  - "@cert.key"
                sni: "redis-a.ibm.com"

Did this page help you?