Configure the user session ID for the federation runtime (Federation)

Customize the user session ID header name to track user sessions, end sessions, or sign out a particular user from a web reverse proxy point of contact server.

Set your web reverse proxy to enable the creation of unique user session IDs. The following stanza and entry must be set:

See User session management for back-end servers for general information.

The federation runtime uses user session ID information to log out the user from the web reverse proxy.

The user session ID uniquely identifies a specific session for an authenticated user and is stored as a part of credential information of the user.

The federation runtime obtains the user session ID from the web reverse proxy. The web reverse proxy sends the user session ID to the federation runtime in an HTTP header. To accomplish this, configure the web reverse proxy and federation runtime to use the same header name.

Steps

  1. For the federation runtime, update the advanced configuration property, poc.signOut.userSessionRequestHeader using the local management interface:

    1. Select...

        Federation > Global Settings > Advanced Configuration

    2. Locate poc.signOut.userSessionRequestHeader in the list, select it, and click Edit.

    3. Enter the header name to use for the user session ID and click Save. For example, specify my_user_session_id.

    See Manage advanced configuration.

  2. Optional: For the web reverse proxy, update the junction to delete an existing user_session_id using the following command:

      pdadmin -a sec_master -p password object modify /WebSEAL/fedname-webseal/junction_name delete attribute HTTP-Tag-Value user_session_id=user_session_id

    Where:

      password Password for sec_master.
      fedname Name of the federation.
      webseal Name of the web reverse proxy server.
      junction_name Name of the junction.
      user_session_id Existing name that was defined for the session ID.

    For example:

      pdadmin -a sec_master -p ipadminpw object modify /WebSEAL/saml20-ip-ipwga/isam delete attribute HTTP-Tag-Value user_session_id=user_session_id

    This command deletes the existing user_session_id.

  3. For the web reverse proxy, update the junction to use the poc.signOut.userSessionRequestHeader property value we defined in step 1. Add this customized attribute value using the following command:

      pdadmin -a sec_master -p password object modify /fedname-webseal/junction_name set attribute HTTP-Tag-Value user_session_id=user_session_ID

    Where:

      user_session_id
      Value from step 1. For example, my_user_session_id.

    For example:

      pdadmin -a sec_master -p ipadminpw object modify /WebSEAL/saml20-ip-ipwga/isam set attribute HTTP-Tag-Value user_session_id=my_user_session_ID

    This command changes the value for the web reverse proxy to my_user_session_ID.

The federation runtime and the web reverse proxy have the same header name.

Parent topic: SAML Federations Overview