How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I configure user-level session timeouts in AM (All versions)?

Last updated May 10, 2022

The purpose of this article is to provide information on setting user-level session timeouts in AM. This allows you to have different session timeouts per user if you use authentication trees as of AM 6.5.3 or if you use authentication modules. Any user-level settings override the realm and global settings for the specific user.


1 reader recommends this article

Overview

There are two user-level session timeouts, which override the realm and global settings:

  • Maximum Session Time - the maximum number of minutes that a session can remain active before a user is required to re-authenticate.
  • Maximum Idle Time - the maximum number of minutes that a session can be idle before a user must re-authenticate.

These settings only apply if you are using authentication trees in AM 6.5.3 and later, or authentication modules.

When setting user-based session timeouts, you must ensure the User Profile property is set to false (Required). These parameters are stored in the user's profile in the identity store, not the configuration store. This means that AM will not perform a lookup to see if a user profile exists in the data store or check these session parameters unless the user profile is set to false (Required).

Warning

You cannot set these timeouts at a user-level if you use Active Directory® for your data store as the Session service attributes cannot be mapped to this data store.

Configuring user based session timeouts

You must enable Load Schema (select the Load Schema when saved option in AM 5.x) for your data store prior to specifying user level settings. You can do this by navigating to Realms > [Realm Name] > Data Stores > [Data Store Name] in the console. 

Note

You may need to add the Session service if it is not listed under Services by clicking Add Service or Add and then selecting Session. If you are using ssoadm, you can replace set-identity-svc-attrs in the ssoadm command with add-svc-identity to add this service and set the attributes with the same command.

You can configure the user session timeouts using either the console or ssoadm:

  • AM 6 and later console: navigate to: Realms > [Realm Name] > Identities > [User Name] > Services > Session and enter the required number of minutes for the maximum session time and/or maximum idle time.
  • AM 5.x console: navigate to: Realms > [Realm Name] > Subjects > [User Name] > Services > Session and enter the required number of minutes for the maximum session time and/or maximum idle time.
  • ssoadm: enter the following command for maximum session time: $ ./ssoadm set-identity-svc-attrs -s iPlanetAMSessionService -e [realmname] -t User -i [username] -u [adminID] -f [passwordfile] -a iplanet-am-session-max-session-time=[minutes]replacing [realmname], [username], [adminID], [passwordfile] and [minutes] with appropriate values.
  • ssoadm: enter the following command for maximum idle time: $ ./ssoadm set-identity-svc-attrs -s iPlanetAMSessionService -e [realmname] -t User -i [username] -u [adminID] -f [passwordfile] -a iplanet-am-session-max-idle-time=[minutes]replacing [realmname], [username], [adminID], [passwordfile] and [minutes] with appropriate values.

See Also

Data stores in AM

Identity Stores

Related Training

N/A

Related Issue Tracker IDs

OPENAM-14782 (AuthTree created Session does not use per User Session Service settings)


Copyright and Trademarks Copyright © 2022 ForgeRock, all rights reserved.