How To
ForgeRock Identity Platform
ForgeRock Identity Cloud

How do I configure IG 7.x to refresh idle sessions?

Last updated Jun 8, 2021

The purpose of this article is to provide assistance if you want IG to refresh idle sessions when the SingleSignOnFilter is used for authentication with Identity Cloud or AM.

1 reader recommends this article

Overview

IG 7 and later allows idle sessions to be refreshed when they are validated. This feature is useful when you use the SingleSignOnFilter for authentication with Identity Cloud or AM but do not have any policy enforcement (PolicyEnforcementFilter). If your route also includes a PolicyEnforcementFilter, you don't need to configure IG to refresh idle sessions because the policy evaluation requests made against Identity Cloud or AM help keep sessions alive.

When the SingleSignOnFilter is used for authentication, IG uses the getSessionInfo endpoint by default to periodically validate the session, but it does not refresh the session. This means a session in Identity Cloud or AM can be seen as idle even though the user is still interacting with IG, and eventually, the session will time out and require the user to re-authenticate.

 If you configure IG to refresh idle sessions, IG will use the getSessionInfoAndResetIdleTime endpoint instead to validate sessions, which also refreshes them.

You must be using Identity Cloud, or AM 6.5.3 and later for this functionality to work. Additionally, your sessions must be CTS-based (default) because idle time is not monitored for client-based sessions.

Configuring IG

You can configure IG to refresh idle sessions as follows:

  1. Update the AmService object to include the following properties:
    • sessionIdleRefresh: enabled - set this to true.
    • sessionIdleRefresh: interval - specify the duration to wait after a session becomes idle before it is refreshed.
    • version - specify the AM version you are using. This must be 6.5.3 or later. If you are using Identity Cloud, set this to 7.

For example, with idle sessions configured to refresh 3 minutes after becoming idle:"sessionIdleRefresh": {    "enabled": true,     "interval": "3 m"   }, "version": "7"

Refer to Properties for further information on these properties and Duration for details on what units can be used for specifying intervals.

IG Route Logs

Once IG is configured to refresh idle sessions, you will notice calls in the route logs to a new endpoint (sessions?_action=getSessionInfoAndResetIdleTime). This endpoint validates the session and resets the session idle time. You will also notice the user timeouts (latestAccessTime and maxIdleExpirationTime) are being updated when this happens, which indicates idle sessions are being refreshed.

See Also

AmService

SingleSignOnFilter

PolicyEnforcementFilter

Related Training

N/A

Related Issue Tracker IDs

OPENIG-3611 (Provide a way to keep the user's AM session alive when just using the SingleSignOnFilter)

Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.