Set a client-specific session cache entry lifetime value
The timeout stanza entry, located in the [session] stanza of the WebSEAL configuration file, globally sets the maximum lifetime timeout value for all client session information stored in the WebSEAL session cache. We can override this global lifetime value with a per-client lifetime value provided as a header in the authentication response from an external authentication interface service. This value is extracted by WebSEAL and stored as an extended attribute in the user's credential.
WebSEAL receives the client-specific timeout information as the value of a header in the authentication response from the external authentication interface. WebSEAL uses the value of that header to set the lifetime timeout of the new session cache entry for that client. This value overrides the value of the timeout stanza entry.
The value represent an absolute time expressed as the number of seconds since 00:00:00 UTC, January 1, 1970. The output of the UNIX time () function, for example, represents the correct format of this absolute time value.
The following steps summarize the necessary configuration for setting a client-specific cache entry lifetime timeout value:
Steps
- Configure the custom external authentication interface program to provide, in its authentication response, an HTTP header containing the session cache lifetime timeout value appropriate for that client. The required name of this header is:
am_eai_xattr_session_lifetime
The name of this particular header is not configurable.
For example:am_eai_xattr_session_lifetime:1129225478
- Configure the custom external authentication interface program to additionally provide an HTTP header that specifies a comma-delimited list of HTTP header names that contain extended attribute values.
You must configure WebSEAL to look for this header name (see step 4). The default name for this header is am-eai-xattrs. (The am-eai-xattrs header name is configurable.)
- Configure the custom external authentication interface program to include the am_eai_xattr_session_lifetime header name as a value to the am-eai-xattrs header. For example:
am-eai-xattrs: am_eai_xattr_session_lifetime- Use the [eai] stanza of the WebSEAL configuration file to specify the names of the HTTP headers that contain authentication data returned from the external authentication interface server.
In the [eai] stanza, ensure that WebSEAL looks for the am-eai-xattrs header name:
[eai]
eai-xattrs-header = am-eai-xattrsHeader names used for the external authentication interface can be customized. Ensure the custom external authentication interface module is written to use the header names as configured.
If the am_eai_xattr_inactive_timeout header is present in a flagged response from the external authentication interface, WebSEAL adds the value to the user’s credential as an extended attribute. The entry in the credential for this example appears as follows:
am_eai_xattr_session_lifetime:1129225478After the credential is successfully built, WebSEAL creates and entry in the session cache for that client and uses the value of the extended attribute to set the inactivity timeout for that client’s session cache entry.
If the am_eai_xattr_session_lifetime header is not supplied. WebSEAL uses the default timeout value provided by the timeout stanza entry.
Example:For example, in aFederation Runtime environment, there is an optional element of a Liberty authentication response used by an identity provider to dictate to a service provider the duration of a user’s session at the service provider.
By modifying the external authentication interface used to authenticate users, a single attribute (the value derived from the identity provider token) can be returned to WebSEAL and used to set the lifetime timeout of session cache entry for that user. The service provider should always request a new single signon interaction with the identity provider once this cache entry lifetime value has expired. See also:
- Customized responses for old session cookies
- Cache entry lifetime timeout value
- Set a client-specific session cache entry inactivity timeout value
Parent topic: Use of external authentication interface with existing WebSEAL features
Parent topic: WebSEAL session cache configuration