How To
ForgeRock Identity Platform
ForgeRock Identity Cloud

How do I configure IG (All versions) to refresh idle sessions?

Last updated Jan 11, 2023

The purpose of this article is to provide assistance if you want IG to refresh idle sessions when the SingleSignOnFilter is used for authentication with ForgeRock Identity Cloud or AM.

1 reader recommends this article

Overview

IG 7 and later allows idle sessions to be refreshed when they are validated. This feature is useful when you use the SingleSignOnFilter for authentication with Identity Cloud or AM but do not have any policy enforcement (PolicyEnforcementFilter). If your route also includes a PolicyEnforcementFilter, you don't need to configure IG to refresh idle sessions because the policy evaluation requests made against Identity Cloud or AM help keep sessions alive.

When the SingleSignOnFilter is used for authentication, IG uses the Identity Cloud or AM getSessionInfo endpoint by default to periodically validate the session, but it does not refresh the session. This means a session in Identity Cloud or AM can be seen as idle even though the user is still interacting with IG, and eventually, the session will time out and require the user to re-authenticate.

If you configure IG to refresh idle sessions, IG will use the Identity Cloud or AM getSessionInfoAndResetIdleTime endpoint instead to validate sessions, which also refreshes them.

You must be using Identity Cloud, or AM 6.5.3 and later for this functionality to work. Additionally, your sessions must be CTS-based (default) because idle time is not monitored for client-based sessions.

Configuring IG

You can configure IG to refresh idle sessions as follows:

  1. Update the AmService object to include the following configuration items:
    • sessionIdleRefresh: enabled - set this to true.
    • sessionIdleRefresh: interval - specify the time between sessionInfo requests after which IG will attempt to refresh a user's session idle time.
    • version - specify the AM version you are using. This must be 6.5.3 or later. If you are using Identity Cloud, set this to 7. IG 7.2 and later populates this property if possible with the corresponding AM version.

For example, with the interval set to 3 minutes, IG will attempt to refresh the user's session after at least 3 minutes have passed since the last refresh attempt:"sessionIdleRefresh": {    "enabled": true,     "interval": "3 m"   }, "version": "7"

  1. If you are using session idle refresh in conjunction with session caching, you should also set the maximumTimeToCache to the same interval value (or less) to ensure that the session idle refresh feature has a chance of being triggered. For example:"sessionCache": {    "enabled": true,     "maximumTimeToCache": "3 m"   },   "sessionIdleRefresh": {     "enabled": true,     "interval": "3 m"   },

Refer to Duration for details on what units can be used for specifying intervals.

IG Route Logs

Once IG is configured to refresh idle sessions, you will notice calls in the route logs to a new endpoint (sessions?_action=getSessionInfoAndResetIdleTime). This endpoint validates the session and resets the session idle time.

You will also notice the user timeouts (latestAccessTime and maxIdleExpirationTime) are being updated when this happens, which indicates idle sessions are being refreshed.

See Also

AmService

SingleSignOnFilter

PolicyEnforcementFilter

Related Training

N/A

Related Issue Tracker IDs

OPENIG-3611 (Provide a way to keep the user's AM session alive when just using the SingleSignOnFilter)

Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.