There are two notable symptoms associated with this issue:
- An individual user can have more concurrent sessions than are permitted, where some of the sessions have an idle time that exceeds the idle timeout limit. This can be seen in the console or using other session monitoring methods as detailed in How do I monitor session statistics in AM/OpenAM (All versions)? Although these sessions are visible in the console, the amadmin user may not always be able to invalidate them. This issue with concurrent sessions can also cause SAML requests to fail, where concurrent requests are received.
- Old sessions are not expired as expected. You will intermittently see one of the following messages in your browser or in response to a REST call, even though the sessions should be destroyed automatically to prevent the maximum number being reached: Maximum Sessions Limit Reached Maximum sessions limit reached or session quota has exhausted Retrying often resolves it and allows you to log in.
You will also witness this behavior in the logs. The following examples show the type of errors you may see depending on your setup / use cases:
- amAuthentication.error log: "2017-05-03 11:42:12" "Maximum Sessions Limit Reached." 198.51.100.0 "cn=dsameuser,ou=DSAME Users,dc=openam,dc=forgerock,dc=org" firstname.lastname@example.org,ou=user,ou=employees,dc=openam,dc=forgerock,dc=org "Not Available" nasacom "Not Available" ou=employees,dc=openam,dc=forgerock,dc=org INFO 198.51.100.0 AUTHENTICATION-200
- Authentication debug log: amAuth:04/05/2017 11:32:54:495 AM GMT: Thread[ajp-apr-8009-exec-220,5,main] Error message is : Maximum Sessions Limit Reached. amAuthUtils:04/05/2017 11:32:54:495 AM GMT: Thread[ajp-apr-8009-exec-220,5,main] URL name : PostProcessLoginFailureURL Value : Not set - null or empty string amAuth:04/05/2017 11:32:54:495 PM GMT: Thread[ajp-apr-8009-exec-220,5,main] processURL : null amAuthREST:04/05/2017 11:32:54:495 PM GMT: Thread[ajp-apr-8009-exec-220,5,main] AuthenticationService.authenticate() :: Rest Authentication Exception org.forgerock.openam.forgerockrest.authn.exceptions.RestAuthErrorCodeException: Maximum Sessions Limit Reached. at org.forgerock.openam.forgerockrest.authn.RestAuthenticationHandler.processAuthentication(RestAuthenticationHandler.java:284) at org.forgerock.openam.forgerockrest.authn.RestAuthenticationHandler.processAuthentication(RestAuthenticationHandler.java:251) at org.forgerock.openam.forgerockrest.authn.RestAuthenticationHandler.authenticate(RestAuthenticationHandler.java:160) at org.forgerock.openam.forgerockrest.authn.RestAuthenticationHandler.initiateAuthentication(RestAuthenticationHandler.java:93) at org.forgerock.openam.forgerockrest.authn.restlet.AuthenticationServiceV1.authenticate(AuthenticationServiceV1.java:133)
- Session debug log: amSession:05/04/2017 10:48:39:378 AM EST: Thread[http-0.0.0.0:8080-1,5,main] SessionConstraint.checkQuotaAndPerformAction: Session quota exhausted. amSession:05/04/2017 10:49:18:378 AM EST: Thread[http-0.0.0.0:8080-1,5,main] Failed to destroy the next expiring session. com.iplanet.dpro.session.SessionException: Session is in a destroyed state at com.iplanet.dpro.session.Session.getSession(Session.java:1170) at com.iplanet.dpro.session.Session.getSession(Session.java:1133) at com.iplanet.dpro.session.Session.getSession(Session.java:1118)
- Federation debug log: libSAML2:05/04/2017 10:45:02:306 PM GMT: Thread[http-nio-8080-exec-34,5,main] ERROR: spAssertionConsumer.jsp: SSO failed. com.sun.identity.saml2.common.SAML2Exception: Login Failed Maximum Sessions Limit Reached.|maxSessions.jsp at com.sun.identity.saml2.profile.SPACSUtils.processResponse(SPACSUtils.java:1328) at org.apache.jsp.saml2.jsp.spAssertionConsumer_jsp._jspService(spAssertionConsumer_jsp.java:255) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) ... Caused by: com.sun.identity.plugin.session.SessionException: Login Failed Maximum Sessions Limit Reached.|maxSessions.jsp at com.sun.identity.plugin.session.impl.FMSessionProvider.createSession(FMSessionProvider.java:285) at com.sun.identity.saml2.profile.SPACSUtils.processResponse(SPACSUtils.java:1307) ... 35 more Caused by: com.sun.identity.authentication.spi.AuthLoginException: Login Failed
Enabled session quota constraints.
Changed the session quota behavior to DESTROY_NEXT_EXPIRING (default setting), DESTROY_OLDEST_SESSION or DESTROY_LAST.
Concurrent attempts to authenticate are not subject to quota constraints. These concurrent attempts can originate from either a single server or a multi-server deployment.
This issue happens because the time interval to persist the session in CTS (and get it replicated to other CTS instances) is longer than a second instance trying to query for active sessions. The session quota is always checked before activating a new session, so if the session hasn't been persisted to another CTS instance by the time the check is done, then it is possible to exceed the session quota.
This issue can be resolved by upgrading to AM 5.5 and later, or OpenAM 13.5.1; you can download this from BackStage.
It is still possible to exceed the quota constraints set but AM/OpenAM will recover properly when a new authentication attempt is made.
A suggested workaround for this issue is to set the session quota behavior to DESTROY_OLD_SESSIONS; once the session quota is reached, this option invalidates all previous sessions and resets the session count to 0.