How do I configure IG 7.x to refresh idle sessions?
The purpose of this article is to provide assistance if you want IG to refresh idle sessions when the SingleSignOnFilter is used for authentication with Identity Cloud or AM.
1 reader recommends this article
Overview
IG 7 and later allows idle sessions to be refreshed when they are validated. This feature is useful when you use the SingleSignOnFilter for authentication with Identity Cloud or AM but do not have any policy enforcement (PolicyEnforcementFilter).
When the SingleSignOnFilter is used for authentication, IG uses the getSessionInfo endpoint by default to periodically validate the session, but it does not refresh the session. This means a session in Identity Cloud or AM can be seen as idle even though the user is still interacting with IG, and eventually, the session will time out and require the user to re-authenticate.
You must be using Identity Cloud, or AM 6.5.3 and later for this functionality to work. Additionally, your sessions must be CTS-based (default) because idle time is not monitored for client-based sessions.
Configuring IG
You can configure IG to refresh idle sessions as follows:
-
Update the AmService object to include the following properties: - sessionIdleRefresh: enabled - set this to true.
- sessionIdleRefresh: interval - specify the duration to wait after a session becomes idle before it is refreshed.
- version - specify the AM version you are using. This must be 6.5.3 or later. If you are using Identity Cloud, set this to 7.
For example, with idle sessions configured to refresh 3 minutes after becoming idle:"sessionIdleRefresh": { "enabled": true, "interval": "3 m" }, "version": "7"
Refer to Configuration Reference › Properties for further information on these properties and Configuration Reference › Duration for details on what units can be used for specifying intervals.
IG Route Logs
Once IG is configured to refresh idle sessions, you will notice calls in the route logs to a new endpoint (sessions?_action=getSessionInfoAndResetIdleTime). This endpoint validates the session and resets the session idle time. You will also notice the user timeouts (latestAccessTime
and maxIdleExpirationTime
) are being updated when this happens, which indicates idle sessions are being refreshed.
See Also
Configuration Reference › AmService
Related Training
N/A