1. Go to the Sessions screen from the Identity Provider or Service Provider menu.
  2. Optional: Configure the global policy and timeout settings under Authentication Sessions.
    1. Select the Enable Sessions for All Authentication Sources check box if PingFederate should track authentication sessions for all authentication sources. Clear this check box if you prefer to enable authentication sessions for only a few authentication sources or disable authentication sessions altogether.
      This check box is not selected by default.
      Note:

      For any HTML Form Adapter instance that has been configured to allow users to indicate whether their device is shared or private, if a user signs on without selecting the This is my device check box on the login form, PingFederate removes authentication session information (if found) and does not store authentication sessions for the user.

    2. Select the Make Authentication Sessions Persistent check box if your use cases require a longer session duration or a greater resilience against restarts of PingFederate and browsers.
      This check box is not selected by default.
      Note:

      Persistent authentication sessions require an external storage.

      Note:

      As of version 9.3, PingFederate alleviates DoS attacks by protecting the persistent session process. It does this by treating repeated persistent cookies that do not have a PF cookie as a replay if repeated in a specified time. This time is set to 300 seconds by default, and you can change it by modifying EmptySessionReplayRetentionsSecs in the <pf-install>/server/default/data/config-store/org.sourceid.saml20.service.session.StoredSessionServiceImpl.xml file.

      For example:

      • If a request arrives with a PF.PERSISTENT cookie and without a PF cookie, PingFederate starts counting the time set in EmptySessionReplayRetentionsSecs.
      • If another request arrives with the same PF.PERSISTENT cookie and without a PF cookie within the time specified in the configuration file, PingFederate treats it as a replayed request and does not perform a database lookup.

      You can disable this behavior by setting EmptySessionReplayRetentionsSecs to 0.

    3. Optional: Override the default timeout values for all authentication sources.
      Field Description
      Idle Timeout Modify the default inactivity timeout value in the Idle Timeout field and select a unit of measurement from the list.

      You may enter an integer that represents a time period between 1 minute and 1,095 days. You may also empty the value to indicate that the inactivity timeout value should match the maximum lifetime.

      The default inactivity timeout value is 60 minutes.

      Max Timeout Modify the default maximum lifetime of an authentication session in the Max Timeout field and select a unit of measurement from the list.

      You may enter an integer that represents a time period between 1 minute and 1,095 days. You may also empty the value to indicate that the authentication sessions do not expire until they are removed from the system.

      The value of the Max Timeout field cannot be less than that of the Idle Timeout field.

      The default inactivity timeout value is 480 minutes (eight hours).

  3. Optional: Configure policy and settings for individual authentication sources under Overrides.
    1. Select an IdP adapter instance or an IdP connection from the Authentication Source list.
    2. Configure individual policy for the selected authentication source as follows:
      Global policy (under Authentication Sessions) Individual policy (under Overrides)
      The Enable Sessions for All Authentication Sources check box is not selected.

      (Authentication-session tracking is not enabled for all authentication sources.)

      Select the Enable Sessions check box to enable authentication-session tracking for the selected authentication source.
      The Enable Sessions for All Authentication Sources check box is selected.

      (Authentication-session tracking is enabled for all authentication sources.)

      Clear the Enable Sessions check box to disable authentication-session tracking for the selected authentication source.

      Select the Enable Sessions check box for the purpose of overriding other authentication-session settings for the selected authentication source.

      The Enable Sessions check box is not selected by default.

      Note:

      Keep in mind that for any HTML Form Adapter instance that has been configured to allow users to indicate whether their device is shared or private, if a user signs on without selecting the This is my device check box on the login form, PingFederate removes authentication session information (if found) and does not store authentication sessions for the user.

    3. Select the Persistent check box if your use cases require a longer session duration or a greater resilience against restarts of PingFederate and browsers.
      Available and applicable only if the Enable Sessions check box is selected. The Persistent check box is not selected by default.
      Note:

      Persistent authentication sessions require an external storage.

      Note:

      Notes under step 2b apply here as well.

    4. If authentication-session tracking is enabled for the selected authentication source and if you want to configure specific timeout values, select the Override Timeouts check box and configure timeout settings.
      Field Description
      Idle Timeout You may enter an integer that represents a time period between 1 minute and 1,095 days. You may also empty the value to indicate that the inactivity timeout value should match the maximum lifetime.

      This field has no default value.

      Max Timeout You may enter an integer that represents a time period between 1 minute and 1,095 days. You may also empty the value to indicate that the authentication sessions do not expire until they are removed from the system.

      The value of the Max Timeout field cannot be less than that of the Idle Timeout field.

      This field has no default value.

      Unit Select from the list the unit of measurement for both the Idle Timeout and Max Timeout fields.

      The default selection is Minutes.

    5. If authentication-session tracking is enabled for the selected authentication source and if you want to enforce authentication requirement based on the authentication context for the selected authentication source, select the Authentication Context Sensitive check box.
      This check box is not selected by default.
    6. Click Add.
    7. Repeat these steps to configure individual policy and settings for additional authentication sources.

      Use the Edit, Update, and Cancel workflow to make or undo a change to an existing entry. Use the Delete and Undelete workflow to remove an existing entry or cancel the removal request.

  4. Click Save to keep your configuration.

When PingFederate authentication sessions are enabled, you may configure session-validation options for your OAuth use cases. Such optional settings enable you to conjoin the validity of access tokens and the authentication sessions of the users. For more information, see Managing session validation settings.