The timeout stanza entry, located in the [session] stanza of the WebSEAL configuration file, globally sets the maximum lifetime timeout value for all client session information stored in the WebSEAL session cache. You can override this global lifetime value with a per-client lifetime value that is provided as a header in the authentication response from an external authentication interface service. This value is extracted by WebSEAL and stored as an extended attribute in the user's credential.
WebSEAL receives the client-specific timeout information as the value of a header in the authentication response from the external authentication interface. WebSEAL uses the value of that header to set the lifetime timeout of the new session cache entry for that client. This value overrides the value of the timeout stanza entry.
The value must represent an absolute time expressed as the number of seconds since 00:00:00 UTC, January 1, 1970. The output of the UNIX time () function, for example, represents the correct format of this absolute time value.
The following steps summarize the necessary configuration for setting a client-specific cache entry lifetime timeout value:
If the am_eai_xattr_inactive_timeout header
is present in a flagged response from the external authentication
interface, WebSEAL adds the value to the user’s credential as an extended
attribute. The entry in the credential for this example appears as
follows:
am_eai_xattr_session_lifetime:1129225478
After the credential is successfully built, WebSEAL creates and entry in the session cache for that client and uses the value of the extended attribute to set the inactivity timeout for that client’s session cache entry.
If the am_eai_xattr_session_lifetime header is not supplied. WebSEAL uses the default timeout value provided by the timeout stanza entry.
For example, in a Tivoli® Federated Identity Manager environment, there is an optional element of a Liberty authentication response that is used by an identity provider to dictate to a service provider the duration of a user’s session at the service provider.
By modifying the external authentication interface used to authenticate users, a single attribute (the value derived from the identity provider token) can be returned to WebSEAL and used to set the lifetime timeout of session cache entry for that user. The service provider should always request a new single signon interaction with the identity provider once this cache entry lifetime value has expired.