--- title: Configuring a web session description: A web session specifies the details of how user information is stored. component: pingaccess version: 9.0 page_id: pingaccess:pingaccess_use_cases:pa_web_gateway_configuring_a_web_session canonical_url: https://docs.pingidentity.com/pingaccess/9.1/pingaccess_use_cases/pa_web_gateway_configuring_a_web_session.html revdate: May 10, 2024 superseded_by: https://docs.pingidentity.com/pingaccess/9.1/pingaccess_use_cases/pa_web_gateway_configuring_a_web_session.html section_ids: about-this-task: About this task steps: Steps choose-from: Choose from: choose-from-2: Choose from: --- # Configuring a web session ## About this task A web session specifies the details of how user information is stored. For more information about this procedure, including optional steps that aren't included here, see [Creating web sessions](../pingaccess_user_interface_reference_guide/pa_creating_web_sessions.html). ## Steps 1. Click **Access**, then go to **Web Sessions > Web Sessions**. 2. Click **[icon: plus, set=fa]Add Web Session**. 3. In the **Name** field, enter a unique name for the web session, up to 64 characters, including special characters and spaces. 4. In the **Cookie Type** list, select **Encrypted JWT**. 5. In the **Audience** field, enter the audience that the PingAccess token is applicable to, represented as a short, unique identifier between 1 and 32 characters. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | PingAccess rejects requests that contain a PingAccess token with an audience that differs from what is configured in the web session associated with the target application. | 6. In the **OpenID Connect Login Type** list, select **Code**. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The **Code** login type is recommended for maximum security and standards interoperability, but other options are available. Learn more about the available profiles in step 6 of [Creating web sessions](../pingaccess_user_interface_reference_guide/pa_creating_web_sessions.html). | 7. In the **Client ID** field, enter the unique identifier (client ID) that was assigned when you created the OAuth *(tooltip: \
\

A standard framework that enables an application (OAuth client) to obtain access tokens from an OAuth authorization server for the purpose of retrieving protected resources on a resource server.\

\
)* relying party (RP) *(tooltip: \
\

An OAuth 2.0 client that requires end-user's authenticity and claims (attributes) from an OpenID provider.\

\
)* client within the token provider. Learn more in [Configuring OAuth clients](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_configuring_oauth_clients.html) in the PingFederate documentation. 8. In the **Client Credentials Type** list, select a client credentials type. Selecting a client credentials type is required when configuring the **Code** login type. ### Choose from: * **Secret** * **Mutual TLS** * **Private Key JWT** | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The OAuth client you use with PingAccess web sessions must have an OpenID Connect (OIDC) *(tooltip: \
\

An authentication protocol built on top of OAuth that authenticates users and enables clients (relying parties) of all types to request and receive information about authenticated sessions and users. OIDC is extensible, allowing clients to use optional features such as encryption of identity data, discovery of OpenID Providers (OAuth authorization servers), and session management.\

\
)* policy specified.Learn more in [Configuring OpenID Connect Policies](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_configuring_oidc_policies.html). | 9. Provide the information required for the selected credential type. ### Choose from: * **Secret** – Enter the **Client Secret** assigned when you created the OAuth relying party client in the token provider. * **Mutual TLS** – Select a configured **Key Pair** to use for Mutual TLS client authentication. * **Private Key JWT** – No additional information is required. 10. In the **Idle Timeout** field, specify the amount of time, in minutes, that the PingAccess token remains active when no activity is detected by the user. The default is `60` minutes. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | If there is an existing valid PingFederate session for the user, an idle timeout of the PingAccess session might result in its re-establishment without forcing the user to sign on again. | 11. In the **Max Timeout** field, specify the amount of time, in minutes, that the PingAccess token remains active before expiring. The default is `240` minutes. 12. Click **Save**.