This topic describes the differences between application and authentication sessions.
Application sessions
Application sessions apply to PingFederate applications hosted on its user-facing endpoints, such as the profile management page and the grant management endpoints. When the inactivity threshold or the maximum lifetime is reached, PingFederate redirects previously authenticated users back to the authentication sources, identity provider (IdP) adapter instances or IdP connections, subject to the configuration of authentication sessions.
Authentication sessions
Authentication sessions control when PingFederate redirects previously authenticated users back to the authentication sources on subsequent requests for browser-based single sign-on (SSO) or PingFederate applications.
Authentication sessions typically wrap an adapter so that PingFederate creates the session when user authentication has succeeded. PingFederate invokes the adapter's authentication logic again only when the session reaches its limits. However, depending on the implementation, an adapter can be aware of an authentication session that wraps it and override this logic. In particular, PingFederate creates authentication sessions configured for an Identifier First Adapter instance only when the complete single sign-on (SSO) transaction has succeeded. This lets the adapter prompt the user for a different user identifier when a chained adapter authentication fails because, for example, there's a typo in the user identifier.
- Session storage options
- When authentication sessions are enabled, PingFederate maintains session data in memory.
- Inactivity (idle) timeout and maximum lifetime
- When authentication sessions are enabled, an authenticated user is not sent back to the authentication system as long as the user makes another request within the idle timeout window, 60 minutes by default. If the user makes another request within the idle timeout window, the authentication session is extended by the idle timeout value, another 60 minutes by default. For externally stored authentication sessions, this operation is optimized to only send updates to the external storage when the remaining idle timeout window is less than 75%.
- Configuration options
- Administrators can enable authentication sessions for all authentication sources,
with or without making the authentication sessions persistent, and with or without
specifying overrides for selected authentication sources.
Alternatively, administrators can enable authentication sessions for a few selected authentication sources, optionally with their own sets of overrides. The override options include:
- Disable or enable authentication sessions.
- Specify the user device type for which authentication sessions will be created.
- Make authentication sessions persistent.
- Override the idle timeout, the maximum timeout, or both, in minutes, hours, or days.
- Enforce authentication requirement based on authentication
context.
Because sessions are tracked with their respective authentication context, administrators can optionally configure PingFederate to compare the requested authentication context found in the authentication request against the authentication context found in the session. If the values do not match, PingFederate redirects the user back to the authentication system.
Tracking options for logout
Administrators can optionally configure additional tracking options for logout to control whether PingFederate should leverage the single logout (SLO) application endpoints to terminate adapter sessions, add sessions to the session revocation list as users sign out, or do both. Publish revoked sessions to provide a secure SLO experience with PingAccess deployments.