How To

How do I configure the login page session timeout in AM 5.5.x and 6.x when using authentication trees?

Last updated Apr 29, 2019

The purpose of this article is to provide information on setting the login page session timeout in AM when you are using authentication trees.


Overview

The login page session timeout specifies the duration in minutes before the AM login page times out and the session (if it is CTS-based) is removed from the CTS store if a user does not log in. The default for the login page session timeout is three minutes.

If a tree-based session times out, you will see errors such as the following in the Authentication debug log:

amAuth:04/15/2019 03:39:02:115 PM BST: Thread[http-nio-8080-exec-240,5,main]: TransactionId[ede0c584-8e19-4888-baba-b6cf2888e289-505507]
ERROR: Unable to construct an appropriate auth session
org.forgerock.openam.core.rest.authn.exceptions.RestAuthException: Failed to create session
   at org.forgerock.openam.core.rest.authn.trees.AuthTrees.constructAuthSession(AuthTrees.java:408)
   at org.forgerock.openam.core.rest.authn.trees.AuthTrees.invokeTree(AuthTrees.java:218)
   at org.forgerock.openam.core.rest.authn.RestAuthenticationHandler.authenticate(RestAuthenticationHandler.java:203)
   at org.forgerock.openam.core.rest.authn.http.AuthenticationServiceV1.authenticate(AuthenticationServiceV1.java:163)
   at sun.reflect.GeneratedMethodAccessor137.invoke(Unknown Source)
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
   at java.lang.reflect.Method.invoke(Method.java:498)
...
Caused by: org.forgerock.openam.dpro.session.InvalidSessionIdException: Invalid session ID.Session not found. This likely means it has expired and been removed.

Setting the login page session timeout

Note

Please be aware of the following when setting the login page session timeout:

  • You should set the login page session timeout as a server default rather than for an individual server since the overall authentication process will be the same on all servers. If your timeout is not behaving as expected, you should check the Invalidate Session Max Time setting on individual servers to ensure the default value has not been overridden.
  • If you have authentication processes in any of your realms that include authentication modules/chains, you will need to ensure the login page session timeout value is always greater than the timeout value in the authentication modules and takes account of the longest possible authentication process as detailed in How do I configure login page session timeouts in AM/OpenAM (All versions) when using authentication modules?

You can configure the login page session timeout using either the console, Amster or ssoadm:

  1. Update the login page session timeout:
    • Console: navigate to: Configure > Server Defaults > Session > Session Limits > Invalidate Session Max Time and enter the required number of minutes.
    • Amster: follow the steps in How do I update property values in AM (All versions) using Amster? with these values:
      • Entity: DefaultSessionProperties
      • Property: com.iplanet.am.session.invalidsessionmaxtime
    • ssoadm: enter the following command:
      $ ./ssoadm update-server-cfg -s default -u [adminID] -f [passwordfile] -a com.iplanet.am.session.invalidsessionmaxtime=[minutes]
      replacing [adminID], [passwordfile] and [minutes] with appropriate values.
  2. Restart the web application container in which AM runs to apply these configuration changes.

See Also

Reference › Session Properties

How do I modify the prompt text shown when authenticating to a tree in AM 5.5.x and 6.x?

FAQ: Customizing, branding and localizing XUI end user pages in AM/OpenAM

Core Token Service (CTS) and sessions in AM/OpenAM

Related Training

ForgeRock Access Management Core Concepts (AM-400)

Related Issue Tracker IDs

N/A



Copyright and TrademarksCopyright © 2019 ForgeRock, all rights reserved.
Loading...