PingFederate Server

Configuring authentication sessions

Use the Sessions window to configure and override the default timeout limits for authentication sessions.

Steps

  1. Go to Authentication → Policies → Sessions.

  2. Optional: In the Sessions window, configure the global policy and timeout settings under Authentication Sessions.

    A screen capture of the authentication sessions window. There are checkboxes for Enable authentication for all sources and hash unique user key value. There are list settings for Idle timeout and Max timeout.

    1. Select the Enable Sessions for All Authentication Sources check box if PingFederate should track authentication sessions for all authentication sources. Clear this check box if you prefer to enable authentication sessions for only a few authentication sources or disable authentication sessions altogether. This check box is not selected by default.

      For any HTML Form Adapter instance that has been configured to allow users to indicate whether their device is shared or private, if a user signs on without selecting the This is my device check box on the login form, PingFederate removes authentication session information, if found, and does not store authentication sessions for the user.

    2. If your use cases require longer sessions or greater resilience against restarts of PingFederate and browsers, select the Make Authentication Sessions Persistent check box.

      Selecting the check box causes the PF.PERSISTENT cookie to be set in the user’s browser. By default, this cookie persists across browser restarts. To allow for very long sessions, the expiration period for the cookie defaults to 94608000 seconds, or 3 years. You can change this period in the cookie-max-age setting in the persistent-session-cookie-config.xml file. If you prefer to have the PF.PERSISTENT cookie cleared on browser exit, set cookie-max-age to -1. Regardless of the cookie’s expiration period, PingFederate always enforces the configured session timeouts. However a user might lose their session earlier if the PF.PERSISTENT cookie expires or is removed by the browser.

      Persistent authentication sessions require an external storage.

      As of version 9.3, PingFederate alleviates DoS attacks by protecting the persistent session process. It does this by treating repeated persistent cookies that do not have a PF cookie as a replay if repeated in a specified time. This time is set to 300 seconds by default, and you can change it by modifying EmptySessionReplayRetentionsSecs in the <pf-install>/server/default/data/config-store/org.sourceid.saml20.service.session.StoredSessionServiceImpl.xml file.

      + For example:

      • If a request arrives with a PF.PERSISTENT cookie and without a PF cookie, PingFederate starts counting the time set in EmptySessionReplayRetentionsSecs.

      • If another request arrives with the same PF.PERSISTENT cookie and without a PF cookie within the time specified in the configuration file, PingFederate treats it as a replayed request and does not perform a database lookup.

        You can disable this behavior by setting EmptySessionReplayRetentionsSecs to 0.

    3. Select the Hash Unique User Key Value check box if you want the unique user key to be hashed using SHA-256. When this option is enabled, PingFederate associates this hashed value with the particular user’s authentication sessions.

      The hashed value is used for features related to unique user keys; for example, the HTML Form Adapter’s Revoke Sessions After Password Change or Reset option (for more information, see Configuring an HTML Form Adapter instance). The hashed value will be visible in server and audit logs, and in session storage if Make Authentication Sessions Persistent is enabled.

    4. Optional: Override the default timeout values for all authentication sources.

      Field Description

      Idle Timeout

      Modify the default inactivity timeout value in the Idle Timeout field and select a unit of measurement from the list.

      You can enter an integer that represents a time period between 1 minute and 1,095 days. You can also empty the value to indicate that the inactivity timeout value should match the maximum lifetime.

      The default inactivity timeout value is 60 minutes.

      Max Timeout

      Modify the default maximum lifetime of an authentication session in the Max Timeout field and select a unit of measurement from the list.

      You can enter an integer that represents a time period between 1 minute and 1,095 days. You can also empty the value to indicate that the authentication sessions do not expire until they are removed from the system.

      The value of the Max Timeout field cannot be less than that of the Idle Timeout field.

      The default maximum timeout value is 480 minutes (eight hours).

  3. Optional: Configure policy and settings for individual authentication sources under Overrides.

    A screen capture of the Overrides section in the Authentication Sessions window configuration. There are fields for authentication source, enable sessions, persistent, override timeouts idle timeout, units, authentication context sensitive, and action.

    1. From the Authentication Source list, select an identity provider (IdP) adapter instance or an IdP connection.

    2. Configure individual policy for the selected authentication source as follows.

      Global policy (underAuthentication Sessions) Individual policy (under Overrides)

      The Enable Sessions for All Authentication Sources check box is not selected.

      Authentication-session tracking is not enabled for all authentication sources.

      Select the Enable Sessions check box to enable authentication-session tracking for the selected authentication source.

      The Enable Sessions for All Authentication Sources check box is selected.

      Authentication-session tracking is enabled for all authentication sources.

      Clear the Enable Sessions check box to disable authentication-session tracking for the selected authentication source.

      Select the Enable Sessions check box for the purpose of overriding other authentication-session settings for the selected authentication source.

      The Enable Sessions check box is not selected by default.

      For any HTML Form Adapter instance that has been configured to allow users to indicate whether their device is shared or private, if a user signs on without selecting the This is my device check box on the login form, PingFederate removes authentication session information, if found, and does not store authentication sessions for the user.

    3. Select the Persistent check box if your use cases require a longer session duration or a greater resilience against restarts of PingFederate and browsers.

      Available and applicable only if the Enable Sessions check box is selected. The Persistent check box is not selected by default.

      Persistent authentication sessions require an external storage.

      Notes under step 2b apply here as well.

    4. If authentication-session tracking is enabled for the selected authentication source and if you want to configure specific timeout values, select the Override Timeouts check box and configure timeout settings.

      Field Description

      Idle Timeout

      You can enter an integer that represents a time period between 1 minute and 1,095 days. You can also empty the value to indicate that the inactivity timeout value should match the maximum lifetime.

      This field has no default value.

      Max Timeout

      You can enter an integer that represents a time period between 1 minute and 1,095 days. You can also empty the value to indicate that the authentication sessions do not expire until they are removed from the system.

      The value of the Max Timeout field cannot be less than that of the Idle Timeout field.

      This field has no default value.

      Unit

      Select from the list the unit of measurement for both the Idle Timeout and Max Timeout fields.

      The default selection is Minutes.

    5. If authentication-session tracking is enabled for the selected authentication source and if you want to enforce authentication requirement based on the authentication context for the selected authentication source, select the Authentication Context Sensitive check box. This check box is not selected by default.

    6. Click Add.

    7. Repeat these steps to configure individual policy and settings for additional authentication sources.

      Click Edit, Update, or Cancel to make or undo a change to an existing entry. Click Delete or Undelete to remove an existing entry or cancel the removal request.

  4. To save your configuration changes, click Save.

Result

When PingFederate authentication sessions are enabled, you can configure session-validation options for your OAuth use cases. These optional settings enable you to conjoin the validity of access tokens and the authentication sessions of the users. For more information, see Managing session validation settings.