Configuring Session Quotas
AM lets you limit the number of active sessions for a user by setting session quotas. Use this feature, for example, to prevent a user from logging in from more than two devices at once, mitigating scenarios where user passwords may have been compromised.
AM's support for session quotas requires CTS-based sessions.
The session quota applies to all sessions opened for the same user (as represented by the user's universal identifier). To configure session quotas and exhaustion in AM, perform the following steps:
Log in to the AM console as an administrative user, for example,
Navigate to Configure > Global Services > Sessions > Session Quotas.
From the Enable Quota Constraints drop-down menu, select
On the Set Resulting behavior if session quota exhausted property, set one of the following values:
Deny access, preventing the user from creating an additional session.
Remove the next session to expire, and create a new session for the user. The next session to expire is the session with the minimum time left until expiration.
This is the default setting.
Remove the oldest session, and create a new session for the user.
Remove all existing sessions, and create a new session for the user.
If none of these session quota exhaustion actions fit your deployment, you can implement a custom session quota exhaustion action. For an example, see "Customizing CTS-Based Session Quota Exhaustion Actions".
Navigate to Realms > Realm Name > Services > Session.
On the Set Active User Sessions property, configure the maximum number of concurrent sessions a user can have.
Note that you can also change this setting globally for the AM site in Configure > Sessions > Dynamic Attributes.
Save your work.