Setting a client-specific session cache entry lifetime value

About this task

The timeout stanza entry, located in the [session] stanza of the WebSEAL configuration file, globally sets the maximum lifetime timeout value for all client session information stored in the WebSEAL session cache. You can override this global lifetime value with a per-client lifetime value that is provided as a header in the authentication response from an external authentication interface service. This value is extracted by WebSEAL and stored as an extended attribute in the user's credential.

WebSEAL receives the client-specific timeout information as the value of a header in the authentication response from the external authentication interface. WebSEAL uses the value of that header to set the lifetime timeout of the new session cache entry for that client. This value overrides the value of the timeout stanza entry.

The value must represent an absolute time expressed as the number of seconds since 00:00:00 UTC, January 1, 1970. The output of the UNIX time () function, for example, represents the correct format of this absolute time value.

The following steps summarize the necessary configuration for setting a client-specific cache entry lifetime timeout value:

Procedure

Configure the custom external authentication interface program to provide, in its authentication response, an HTTP header containing the session cache lifetime timeout value appropriate for that client. The required name of this header is:
```
am_eai_xattr_session_lifetime
```
Note: The name of this particular header is not configurable.
For example:
```
am_eai_xattr_session_lifetime:1129225478
```
Configure the custom external authentication interface program to additionally provide an HTTP header that specifies a comma-delimited list of HTTP header names that contain extended attribute values.
You must configure WebSEAL to look for this header name (see step 4). The default name for this header is am-eai-xattrs. (The am-eai-xattrs header name is configurable.)
Configure the custom external authentication interface program to include the am_eai_xattr_session_lifetime header name as a value to the am-eai-xattrs header. For example:
am-eai-xattrs: am_eai_xattr_session_lifetime
Use the [eai] stanza of the WebSEAL configuration file to specify the names of the HTTP headers that contain authentication data returned from the external authentication interface server.
In the [eai] stanza, ensure that WebSEAL looks for the am-eai-xattrs header name:
[eai]
eai-xattrs-header = am-eai-xattrs
Note: Header names used for the external authentication interface can be customized. Ensure that the custom external authentication interface module is written to use the header names as configured.

Results

If the am_eai_xattr_inactive_timeout header is present in a flagged response from the external authentication interface, WebSEAL adds the value to the user’s credential as an extended attribute. The entry in the credential for this example appears as follows:
am_eai_xattr_session_lifetime:1129225478

After the credential is successfully built, WebSEAL creates and entry in the session cache for that client and uses the value of the extended attribute to set the inactivity timeout for that client’s session cache entry.

If the am_eai_xattr_session_lifetime header is not supplied. WebSEAL uses the default timeout value provided by the timeout stanza entry.

Example:

For example, in a Tivoli® Federated Identity Manager environment, there is an optional element of a Liberty authentication response that is used by an identity provider to dictate to a service provider the duration of a user’s session at the service provider.

By modifying the external authentication interface used to authenticate users, a single attribute (the value derived from the identity provider token) can be returned to WebSEAL and used to set the lifetime timeout of session cache entry for that user. The service provider should always request a new single signon interaction with the identity provider once this cache entry lifetime value has expired.