This topic describes the differences between application and authentication sessions.
Application sessions apply to PingFederate applications hosted on its user-facing endpoints, such as the profile management page and the grant management endpoints. When the inactivity threshold or the maximum lifetime is reached, PingFederate redirects previously authenticated users back to the authentication sources, identity provider (IdP) adapter instances or IdP connections, subject to the configuration of authentication sessions.
Authentication sessions control when PingFederate redirects previously authenticated users back to the authentication sources on subsequent requests for browser-based single sign-on (SSO) or PingFederate applications.
Authentication sessions typically wrap an adapter so that PingFederate creates the session when user authentication has succeeded. PingFederate invokes the adapter's authentication logic again only when the session reaches its limits. However, depending on the implementation, an adapter can be aware of an authentication session that wraps it and override this logic. In particular, PingFederate creates authentication sessions configured for an Identifier First Adapter instance only when the complete single sign-on (SSO) transaction has succeeded. This lets the adapter prompt the user for a different user identifier when a chained adapter authentication fails because, for example, there's a typo in the user identifier.
- Session storage options
- When authentication sessions are enabled, PingFederate maintains session data in memory.
- PingFederate also supports maintaining session data both in memory and
on an external storage. This optional capability allows administrators to support
use cases where a longer session duration or a greater resilience against restarts
of PingFederate and browsers is desired. The retrieval and update
operations are optimized to provide a fast and seamless user experience. For
instance, a retrieval from the external storage is only required when an
authentication session is not found in memory. Note:
Persistent authentication sessions require an external storage. For more information, see Defining a datastore for persistent authentication sessions.
- Inactivity (idle) timeout and maximum lifetime
- When authentication sessions are enabled, an authenticated user is not sent back to the authentication system as long as the user makes another request within the idle timeout window, 60 minutes by default. If the user makes another request within the idle timeout window, the authentication session is extended by the idle timeout value, another 60 minutes by default. For externally stored authentication sessions, this operation is optimized to only send updates to the external storage when the remaining idle timeout window is less than 75%.
- An authentication session can be repeatedly extended by multiple requests and
remains valid until the maximum timeout value is reached, in which case the user
will be redirected back to the authentication system. Tip:
The authentication system might or might not challenge the user to complete an authentication process based on its own session management policy or processing logic.
- Configuration options
- Administrators can enable authentication sessions for all authentication sources, with or without making the authentication sessions persistent, and with or without specifying overrides for selected authentication sources.
- Alternatively, administrators can enable authentication sessions for a few
selected authentication sources, optionally with their own sets of overrides. The
override options include:
- Disable or enable authentication sessions
- Make authentication sessions persistent
- Override the idle timeout, the maximum timeout, or both, in minutes, hours, or days
- Enforce authentication requirement based on authentication
Because sessions are tracked with their respective authentication context, administrators can optionally configure PingFederate to compare the requested authentication context found in the authentication request against the authentication context found in the session. If the values do not match, PingFederate redirects the user back to the authentication system.
Tracking options for logout
Administrators can optionally configure additional tracking options for logout to control whether PingFederate should leverage the single logout (SLO) application endpoints to terminate adapter sessions, add sessions to the session revocation list as users sign out, or do both. Publish revoked sessions to provide a secure SLO experience with PingAccess deployments.