OAM 12c Session lifetime and Idle session timeout

Hello,

Please refer to this blog for details on session timeout for OAM. Also can you let us know or confirm if OAM is protecting access to the Application? You mentioned OAM is IDP and using saml federation. In Federation there are two end points, one is Identity Provider and the other is Service Provider.

The blog reference is for setting up OAM as service provider for application. I will try to answer you current questions assuming OAM is configured to protect the access to the application/Application URL.

>>1) How the max sessions get reached, if the user tries to access the different applications in a SSO environment ?

-- if i open app1--> browser window1, app2-->browser window2, app3 -->browser window3; does this count as 3 sessions for the user or only 1 as it's a SSO for all the 3 apps.

Above will count as 3 sessions. But be aware if you open multiple tabs in the same browser then you are sharing the same cookie. To avoid confusion open one session in one browser, say IE, then open another session in a different browser, say Chrome browser.

>>2) If the user closes the browser, does the session gets killed ?

Yes

>>3) If the user opens a new browser immediately after closing the browser, does a new session get created ?

Yes

>>4) Is there something that i have to educate/tell users going forward so that max session scenario doesn’t happen again?

There is a setting for Max user sessions in OAM configuration. By default believe it is set to 8. Here is a reference regarding maximum sessions. (Scroll down to section 25.3.1.3.1 Global Session Settings and see the info on Maximum Number of Sessions) Note if you set this value to 0 (zero) then that is a special setting, and this will ensure that OAM will count the sessions of a user thereby a user can have unlimited number of sessions- obviously this setting of zero (0) is not to be used.

>>5) In a federated login, can we get details of what Service provider or URL the user has tried to access ?

Yes as an admin you should have this information. If not contact the Service Provider admin. If you are in a Federation then you -I am assuming as an administrator should have access to details both at IDP and SP side (Identity Provider and Service Provider). Looks like you are from the Identity Provider side?

>>6) If we don't delete the sessions from OAM, when will the 10 sessions get expired so that the user can log in again ?

The sessions will get expired when the "Session Lifetime is reached the session is marked as expired and removed from server memory. Again you can read here about Session Lifetime.

Just to be clear here the settings for OAM that is being discussed is assuming OAM is protecting the application/URL or in other words it is the Service Provider. So I am assuming your Service Provider is also running OAM? please confirm.

You can increase this current setting of Max sessions per user =10 to say 30

Check with your users if this helps. For the URL, you can always check the Federation configuration settings which will give the URL.