Hi Sylvain,
I wasn't able to find reference to the EAI method of setting the persistent (also known as "remember-me") session in the product docs but ti is mentioned in the Reverse Proxy configuration file comments in 10.0.1.0 and 10.0.2.0 versions:
---
# The name of the header which is used to 'flag' the authentication
# response with extra processing information. The supported flags
# (.i.e. header values) include:
# - stream: Used to indicate that the authentication response should
# be streamed back to the client.
# - append-cred-attrs:
# When an extended attribute name matches an existing
# credential attribute, its value will be appended as an
# additional value.
# - replace-cred-attrs:
# When an extended attribute name matches an existing
# credential attribute, its value will replace the
# credential attribute value.
#
# If neither append-cred-attrs nor replace-cred-attrs is
# specified then the eai-replace-cred-attributes
# value determines the extended attribute behaviour.
# - remember-session:# Used to indicate that the session should be remembered. This# will have the impact of creating and setting the configured# 'remember-session-field'. The flag can optionally be qualified# with the length of time (in minutes) that the token will be# valid for, e.g. 'remember-session:60'. If no expiry is# specified the token will never expire.# - success-page-response:
# If the authentication is successful return the login success
# page instead of returning a 302.
# - max-concurrent-sessions:
# If the session is being stored in a remote session cache
# (either the DSC or Redis) this flag is used to define the
# maximum number of concurrent sessions which are allowed for
# this user. A value of 0 indicates that there is no limit, and
# a value of -1 indicates that the existing session will be
# displaced. If the user has reached their session limit the new
# session will not be established and an error page will be
# returned to the client. The format of the flag should be:
# 'max-concurrent-sessions:<limit>', for example:
# 'max-concurrent-sessions:5'.
#
# If multiple flags need to be specified they should be included in a single
# HTTP header as a comma separated list.
eai-flags-header = am-eai-flags
---
If you're using the AAC Authentication Service, you don't have direct control over the EAI HTTP headers that are returned following successful completion of an authentication policy (this is controlled by the Point of Contact profile). There are workarounds for this (end policy without successful completion but use a template page with server-side scripting to set the EAI headers anyway)... but I won't go into those here.
Jon.
------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------
Original Message:
Sent: Mon July 12, 2021 02:01 AM
From: Scott Exton
Subject: Persitent Sessions
Sylvain,
For WebSEAL 'persistent sessions' it doesn't matter whether the session was created via an EAI or the inbuilt authentication mechanism. WebSEAL will persist the session in the same fashion.
I hope that this helps.
------------------------------
Scott Exton
IBM
Gold Coast
Original Message:
Sent: Sat July 10, 2021 10:20 AM
From: Sylvain Gilbert
Subject: Persitent Sessions
Hi
Does the 'Persitent Sessions' feature only applicable to sessions initiated/created by webseal's pkmslogin mechanism or does it also apply to webseal sessions created in the context of returned EAI's headers from AAC InfoMaps ?
Thanks
------------------------------
Sylvain Gilbert
------------------------------