Session
server/session
Specifies the configuration for client sessions.
Properties
Name | Type | Constraints | Description |
---|---|---|---|
cookie_name | string | Default value: PD-S-SESSION-ID | The name of the session cookie presented to clients. |
max_sessions | number | Minimum: 1 Maximum: unlimited Default value: 4096 | The maximum number of concurrent sessions. |
timeout | number | Minimum: 0 Maximum: unlimited Default value: 3600 | The maximum lifetime (in seconds) for a session. If set to 0 the sessions will not have a maximum lifetime, however once max_sessions is reached sessions will be reaped using a least recently used algorithm. |
inactive_timeout | number | Minimum: 0 Maximum: unlimited Default value: 600 | The maximum lifetime (in seconds) a session can remain inactive before it is expired. If set to 0 the sessions will not have a maximum inactive lifetime. |
permit_user_switching | boolean | Values: true or false Default value: false | During an obligated re-authentication, depending on the policy and identity provider a different user credential may be returned to the application gateway. By default, the application gateway will not accept a credential if the user name does not match the user which the session was originally established for. Use this entry to change the behaviour and allow the application gateway to accept a credential containing a different user name during re-authentication. |
redis | redis | ||
reauth | reauth |
server/session/redis
Specifies the configuration for distributed sessions using a Redis environment.
Redis collections are defined using the services/redis[] entry.
Properties
Name | Type | Constraints | Description |
---|---|---|---|
enabled | boolean | Values: true or false | Enables the Redis session cache. |
client_list_cache_lifetime | number | Minimum: 0 Maximum: unlimited Default value: 10 | The server needs to manually delete stale entries from the Redis cache during session creation and idle timeout events. In order to be able to delete the stale entries it needs an up-to-date list of active clients of the Redis server (using the CLIENT LIST Redis command). This command, depending on the number of clients which are registered with the Redis server, can be expensive and so IAG will cache and reuse the returned list of clients for a small period of time. This configuration entry controls the length of time, in seconds, that a client list will be cached. |
concurrent_sessions | concurrent_sessions |
server/session/redis/concurrent_sessions
Specifies the configuration information associated with the tracking and management of concurrent user sessions.
Properties
Name | Type | Constraints | Description |
---|---|---|---|
enabled | boolean | Values: true or false Default value: true | Is concurrent user session tracking and management enabled? |
prompt_for_displacement | boolean | Values: true or false Default value: true | If enabled the gateway will prompt users before automatically displacing existing sessions with the same user identity. If disabled the gateway will automatically log out the existing user session. |
max_user_sessions | number | Minimum: -1 Maximum: unlimited Default value: 0 | The maximum number of concurrent sessions which are allowed for a single user. A value of 0 indicates that an unlimited number of sessions are allowed, and a value of -1 indicates that only a single session is allowed for the user and that any existing sessions will be displaced by the new session. The maximum number of user sessions for a particular session can also be defined using the tagvalue_max_concurrent_web_sessions attribute of the credential. |
user_identity_attribute_name | string | Default value: AZN_CRED_PRINCIPAL_NAME | The name of the credential attribute which holds the unique user identity for the session. If the configured attribute does not exist in the credential the default user identity of unknown will be used. |
server/session/reauth
These entries control the behaviour of the re-authentication policies.
Properties
Name | Type | Constraints | Description |
---|---|---|---|
login_time_window | number | Minimum: 0 Maximum: unlimited Default value: 0 | Controls the amount of time a re-authentication will be considered valid for. This is a time (in seconds) after a re-authentication occurs during which a client will not be prompted to perform re-authentication again. By default, the login_time_window is set to zero, which means that every request to a resource protected with the reauth policy directive will require the client to perform re-authentication. |
Example
server:
session:
cookie_name: sess_cookie
max_sessions: 20
timeout: 600
inactive_timeout: 100
redis:
enabled: true
key_prefix: "iag-"
default_collection: test-collection
client_list_cache_lifetime: 10
concurrent_sessions:
enabled: true
prompt_for_displacement: true
max_user_sessions: 15
user_identity_attribute_name: AZN_CRED_PRINCIPAL_NAME
reauth:
login_time_window: 10
Updated over 1 year ago