server/session

Specifies the configuration for client sessions.

Properties

NameTypeConstraintsDescription
cookie_namestringDefault value: PD-S-SESSION-IDThe name of the session cookie presented to clients.
max_sessionsnumberMinimum: 1

Maximum: unlimited

Default value: 4096
The maximum number of concurrent sessions.
timeoutnumberMinimum: 0

Maximum: unlimited

Default value: 3600
The maximum lifetime (in seconds) for a session. If set to 0 the sessions will not have a maximum lifetime, however once max_sessions is reached sessions will be reaped using a least recently used algorithm.
inactive_timeoutnumberMinimum: 0

Maximum: unlimited

Default value: 600
The maximum lifetime (in seconds) a session can remain inactive before it is expired. If set to 0 the sessions will not have a maximum inactive lifetime.
permit_user_switchingbooleanValues: true or false

Default value: false
During an obligated re-authentication, depending on the policy and identity provider a different user credential may be returned to the application gateway. By default, the application gateway will not accept a credential if the user name does not match the user which the session was originally established for. Use this entry to change the behaviour and allow the application gateway to accept a credential containing a different user name during re-authentication.
redisredis
reauthreauth

server/session/redis

Specifies the configuration for distributed sessions using a Redis environment.
Redis collections are defined using the services/redis[] entry.

Properties

NameTypeConstraintsDescription
enabledbooleanValues: true or falseEnables the Redis session cache.
client_list_cache_lifetimenumberMinimum: 0

Maximum: unlimited

Default value: 10
The server needs to manually delete stale entries from the Redis cache during session creation and idle timeout events. In order to be able to delete the stale entries it needs an up-to-date list of active clients of the Redis server (using the CLIENT LIST Redis command). This command, depending on the number of clients which are registered with the Redis server, can be expensive and so IAG will cache and reuse the returned list of clients for a small period of time. This configuration entry controls the length of time, in seconds, that a client list will be cached.
concurrent_sessionsconcurrent_sessions

server/session/redis/concurrent_sessions

Specifies the configuration information associated with the tracking and management of concurrent user sessions.

Properties

NameTypeConstraintsDescription
enabledbooleanValues: true or false

Default value: true
Is concurrent user session tracking and management enabled?
prompt_for_displacementbooleanValues: true or false

Default value: true
If enabled the gateway will prompt users before automatically displacing existing sessions with the same user identity. If disabled the gateway will automatically log out the existing user session.
max_user_sessionsnumberMinimum: -1

Maximum: unlimited

Default value: 0
The maximum number of concurrent sessions which are allowed for a single user. A value of 0 indicates that an unlimited number of sessions are allowed, and a value of -1 indicates that only a single session is allowed for the user and that any existing sessions will be displaced by the new session. The maximum number of user sessions for a particular session can also be defined using the tagvalue_max_concurrent_web_sessions attribute of the credential.
user_identity_attribute_namestringDefault value: AZN_CRED_PRINCIPAL_NAMEThe name of the credential attribute which holds the unique user identity for the session. If the configured attribute does not exist in the credential the default user identity of unknown will be used.

server/session/reauth

These entries control the behaviour of the re-authentication policies.

Properties

NameTypeConstraintsDescription
login_time_windownumberMinimum: 0

Maximum: unlimited

Default value: 0
Controls the amount of time a re-authentication will be considered valid for. This is a time (in seconds) after a re-authentication occurs during which a client will not be prompted to perform re-authentication again.
By default, the login_time_window is set to zero, which means that every request to a resource protected with the reauth policy directive will require the client to perform re-authentication.

Example

server:
  session:
    cookie_name: sess_cookie
    max_sessions: 20
    timeout: 600
    inactive_timeout: 100
    redis:
      enabled: true
      key_prefix: "iag-"
      default_collection: test-collection
      client_list_cache_lifetime: 10
      concurrent_sessions:
        enabled: true
        prompt_for_displacement: true
        max_user_sessions: 15
        user_identity_attribute_name: AZN_CRED_PRINCIPAL_NAME
    reauth:
      login_time_window: 10