Hi,

When you use EAI you can set session timeouts per user if you so wish. 
EAI Session timeout

Is it possible to set a standard timeout in EAI and then let the application dynamicly "upgrade/downgrade/set" the timeouts after you have authenticated.

Lets say that you have 3 diffrent applications (and sso between them) that use EAI to authenticate the user. EAI sets a max session timeout of 60 minutes. But the the application/junction 1,2 and 3 wishes to have different timeouts. 

How would you solve this?



------------------------------
Mikael
------------------------------

Mikael,

There really is no way to have different session timeouts for different applications/junctions.  The only possible way of doing this is if you are using virtual host junctions and have a different session for each junction.

Your question has been asked numerous times in the past, but in the majority of instances once we start delving into what the customer actually wants we find that the request doesn't really make a lot of sense.  The main reason for this is that people can't really state exactly what behavour they want.  Do they want separate sessions for each application?  If so, do they want SSO between the applications?  If you have SSO between applications the session lifetime then essentially becomes the lifetime of the longest timeout for all of the applications that you have access to - which defeats the purpose of having a per-application timeout.

Does this make sense?

Thanks,

Scott.

------------------------------
Scott Exton
IBM
Gold Coast
------------------------------

Original Message:
Sent: 08-30-2018 04:55
From: Mikael Lindblad
Subject: EAI Session timeouts.

Hi,

When you use EAI you can set session timeouts per user if you so wish.
EAI Session timeout

Is it possible to set a standard timeout in EAI and then let the application dynamicly "upgrade/downgrade/set" the timeouts after you have authenticated.

Lets say that you have 3 diffrent applications (and sso between them) that use EAI to authenticate the user. EAI sets a max session timeout of 60 minutes. But the the application/junction 1,2 and 3 wishes to have different timeouts.

How would you solve this?



------------------------------
Mikael
------------------------------

You really can't and shouldn't be trying to. The session is between the browser and WebSEAL, and is completely independent of (and largely irrelevant to) which applications are junctioned behind WebSEAL. If these applications have such largely different security requirements, then don't use SSO. It's really that simple.

------------------------------
Shane Weeden
IBM
------------------------------

Original Message:
Sent: 08-30-2018 04:55
From: Mikael Lindblad
Subject: EAI Session timeouts.

Hi,

When you use EAI you can set session timeouts per user if you so wish.
EAI Session timeout

Is it possible to set a standard timeout in EAI and then let the application dynamicly "upgrade/downgrade/set" the timeouts after you have authenticated.

Lets say that you have 3 diffrent applications (and sso between them) that use EAI to authenticate the user. EAI sets a max session timeout of 60 minutes. But the the application/junction 1,2 and 3 wishes to have different timeouts.

How would you solve this?



------------------------------
Mikael
------------------------------

Thanks for the replies Scott and Shane.

I've been thinking and thinking about the why.(which i knew would be asked.)
One scenario is in the oauth code flow where the session should be short only to let the user approve the consent and after the redirect kicks in we don't want any sessions hanging around. Maybe that could be solved by a mapping rule?

Regards Micke

------------------------------
Mikael
------------------------------

Original Message:
Sent: 08-31-2018 03:44
From: Shane Weeden
Subject: EAI Session timeouts.

You really can't and shouldn't be trying to. The session is between the browser and WebSEAL, and is completely independent of (and largely irrelevant to) which applications are junctioned behind WebSEAL. If these applications have such largely different security requirements, then don't use SSO. It's really that simple.

------------------------------
Shane Weeden
IBM

Original Message:
Sent: 08-30-2018 04:55
From: Mikael Lindblad
Subject: EAI Session timeouts.

Hi,

When you use EAI you can set session timeouts per user if you so wish.
EAI Session timeout

Is it possible to set a standard timeout in EAI and then let the application dynamicly "upgrade/downgrade/set" the timeouts after you have authenticated.

Lets say that you have 3 diffrent applications (and sso between them) that use EAI to authenticate the user. EAI sets a max session timeout of 60 minutes. But the the application/junction 1,2 and 3 wishes to have different timeouts.

How would you solve this?



------------------------------
Mikael
------------------------------