Forum Stats

  • 3,817,099 Users
  • 2,259,276 Discussions
  • 7,893,655 Comments

Discussions

OAM 12c Session lifetime and Idle session timeout

user8744020
user8744020 Member Posts: 1,072 Silver Badge
edited Jan 8, 2021 2:25AM in Identity Manager

Hi,

We are currently on OAM 12.2.1.3

I have few queries regarding Max sessions per user, Session lifetime and Idle session timeout settings in the OAM Common settings page.

We use OAM as an IdP and use SAML federation. Our current settings are

Max sessions per user =10

Session lifetime=720 minutes

Idle session timeout=720 minutes

Now, few of the users are reaching max session count of 20 and not able to login/create any new sessions.

Questions :


1) How the max sessions get reached, if the user tries to access the different applications in a SSO environment ?

-- if i open app1--> browser window1, app2-->browser window2, app3 -->browser window3; does this count as 3 sessions for the user or only 1 as it's a SSO for all the 3 apps.

2) If the user closes the browser, does the session gets killed ?

3) If the user opens a new browser immediately after closing the browser, does a new session get created ?

4) Is there something that i have to educate/tell users going forward so that max session scenario doesn’t happen again?

5) In a federated login, can we get details of what Service provider or URL the user has tried to access ?

6) If we don't delete the sessions from OAM, when will the 10 sessions get expired so that the user can log in again ?

Any inputs would be appreciated on this .

Any other scenarios/questions that you have faced would be helpful for me to educate users and also answer questions raised by management.

Thanks in advance.

Tagged:

Best Answer

Answers

  • user8744020
    user8744020 Member Posts: 1,072 Silver Badge

    Hi,

    Any inputs on this please?

    Thanks in advance

  • user8744020
    user8744020 Member Posts: 1,072 Silver Badge

    Hi,

    @Srinath Menon-Oracle @Sandeep Kumar sk Any inputs on this please.

    Thanks in advance,

  • Sandeep Kumar sk
    Sandeep Kumar sk Member Posts: 496 Silver Badge
    edited Jan 8, 2021 10:37PM

    Hello,

    Please refer to this blog for details on session timeout for OAM. Also can you let us know or confirm if OAM is protecting access to the Application? You mentioned OAM is IDP and using saml federation. In Federation there are two end points, one is Identity Provider and the other is Service Provider.

    The blog reference is for setting up OAM as service provider for application. I will try to answer you current questions assuming OAM is configured to protect the access to the application/Application URL.

    >>1) How the max sessions get reached, if the user tries to access the different applications in a SSO environment ?

    -- if i open app1--> browser window1, app2-->browser window2, app3 -->browser window3; does this count as 3 sessions for the user or only 1 as it's a SSO for all the 3 apps.

    Above will count as 3 sessions. But be aware if you open multiple tabs in the same browser then you are sharing the same cookie. To avoid confusion open one session in one browser, say IE, then open another session in a different browser, say Chrome browser.

    >>2) If the user closes the browser, does the session gets killed ?

    Yes

    >>3) If the user opens a new browser immediately after closing the browser, does a new session get created ?

    Yes

    >>4) Is there something that i have to educate/tell users going forward so that max session scenario doesn’t happen again?

    There is a setting for Max user sessions in OAM configuration. By default believe it is set to 8. Here is a reference regarding maximum sessions. (Scroll down to section 25.3.1.3.1 Global Session Settings and see the info on Maximum Number of Sessions) Note if you set this value to 0 (zero) then that is a special setting, and this will ensure that OAM will count the sessions of a user thereby a user can have unlimited number of sessions- obviously this setting of zero (0) is not to be used.

    >>5) In a federated login, can we get details of what Service provider or URL the user has tried to access ?

    Yes as an admin you should have this information. If not contact the Service Provider admin. If you are in a Federation then you -I am assuming as an administrator should have access to details both at IDP and SP side (Identity Provider and Service Provider). Looks like you are from the Identity Provider side?

    >>6) If we don't delete the sessions from OAM, when will the 10 sessions get expired so that the user can log in again ?

    The sessions will get expired when the "Session Lifetime is reached the session is marked as expired and removed from server memory. Again you can read here about Session Lifetime.

    Just to be clear here the settings for OAM that is being discussed is assuming OAM is protecting the application/URL or in other words it is the Service Provider. So I am assuming your Service Provider is also running OAM? please confirm.

    user8744020
  • user8744020
    user8744020 Member Posts: 1,072 Silver Badge

    Thank you @Sandeep Kumar sk for taking time and reply to the post. Appreciate it.

    We are using OAM as an Identity Provider and application ( ex. Workday) as the Service Provider. This is a SAML 2.0 based SSO. Our current Global Settings from OAM page are :

    Max sessions per user =10

    Session lifetime=720 minutes

    Idle session timeout=720 minutes

    Few of the users are getting maxed out of 'Max Sessions per user'=10 and asking us to what we need to do going forward so that max session scenario doesn’t happen to them again?

    From database, i am able to see the sessions of the user's in 'AM_SESSION' table ( like client ip, userid etc.,) but not the url what they accessed. is there a way to find out.

    Thanks in advance.

  • Sandeep Kumar sk
    Sandeep Kumar sk Member Posts: 496 Silver Badge
    edited Jan 8, 2021 11:20PM

    You can increase this current setting of Max sessions per user =10 to say 30

    Check with your users if this helps. For the URL, you can always check the Federation configuration settings which will give the URL.

  • user8744020
    user8744020 Member Posts: 1,072 Silver Badge
    edited Jan 8, 2021 11:25PM

    Recently we increased it to 20 and as per Oracle increasing it to higher value will have database performance issues and other security issues.

    Still few of the users are getting maxed out of user sessions and we need to clear the sessions in backed from AM_SESSIONS table. Can we decrease the Idle session timeout so that the session gets timeout sooner and the user will have sessions to consume. Any suggestions.

    For the URL, you can always check the Federation configuration settings which will give the URL.

    I know the SP URL. But, wanted to know from the number of sessions the user has, what is it they are accessing ?

    Thanks,

  • Sandeep Kumar sk
    Sandeep Kumar sk Member Posts: 496 Silver Badge

    @user8744020 can you confirm if the setting of session timeout resolved your issue?

  • user8744020
    user8744020 Member Posts: 1,072 Silver Badge

    Yes, the information was very helpful. I wanted to mark this discussion as answered but i don't see 'Answered' button. I only see below options.

    Thanks,

    Sandeep Kumar sk
  • Sandeep Kumar sk
    Sandeep Kumar sk Member Posts: 496 Silver Badge

    @user8744020 you should be able to do now...