Set a client-specific session cache entry inactivity timeout value

The inactive-timeout stanza entry, located in the [session] stanza of the WebSEAL configuration file, globally sets the maximum lifetime of inactive entries contained within the WebSEAL session cache. You can override this global inactivity timeout value with a per-client value provided as a header in the authentication response from an external authentication interface service. This value is extracted by WebSEAL and stored as an extended attribute in the user's credential.

WebSEAL receives the client-specific inactivity timeout information as the value of a header in the authentication response from the external authentication interface. WebSEAL uses the value of that header to set the inactivity timeout of the new session cache entry for that client. This value overrides the value of the inactive-timeout stanza entry.

The value represents the maximum number of seconds the session can be inactive before it is removed from the WebSEAL session cache.

The following steps summarize the necessary configuration for setting a client-specific cache entry inactivity timeout value:

Steps

  1. Configure the custom external authentication interface program to provide, in its authentication response, an HTTP header containing the session cache inactivity timeout value appropriate for that client. The required name of this header is 
    am_eai_xattr_session_inactive_timeout
    The name of this particular header is not configurable. For example: 
    am_eai_xattr_session_inactive_timeout:120

  2. Configure the custom external authentication interface program to additionally provide an HTTP header that specifies a comma-delimited list of HTTP header names that contain extended attribute values.

    We must configure WebSEAL to look for this header name (see step 4). The default name for this header is am-eai-xattrs. (The am-eai-xattrs header name is configurable.)

  3. Configure the custom external authentication interface program to include the am_eai_xattr_session_inactive_timeout header name as a value to the am-eai-xattrs header. For example: 
    am-eai-xattrs: am_eai_xattr_session_inactive_timeout

  4. Use the [eai] stanza of the WebSEAL configuration file to specify the names of the HTTP headers that contain authentication data returned from the external authentication interface server.
    In the [eai] stanza, ensure that WebSEAL looks for the am-eai-xattrs header name:
    [eai] 
eai-xattrs-header = am-eai-xattrs
    Header names used for the external authentication interface can be customized. Ensure the custom external authentication interface module is written to use the header names as configured.

If the am_eai_xattr_session_inactive_timeout header is present in a flagged response from the external authentication interface, WebSEAL adds the value to the user's credential as an extended attribute. The entry in the credential for this example appears as follows: 

am_eai_xattr_session_inactive_timeout:120

After the credential is successfully built, WebSEAL creates an entry in the session cache for that client and uses the value of the extended attribute to set the inactivity timeout for that client's session cache entry.

If the am_eai_xattr_session_inactive_timeout header is not supplied, WebSEAL uses the default timeout value provided by the inactive-timeout stanza entry.

See also:

Parent topic: Use of external authentication interface with existing WebSEAL features