How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I configure session timeouts in AM (All versions)?

Last updated Sep 2, 2021

The purpose of this article is to provide information on setting session timeouts in AM. There are a number of different session timeouts you can set; this article focuses on setting session timeouts at a global level.


1 reader recommends this article

Overview

There are a number of different session timeouts you can set; this article focuses on setting session timeouts at a global level. 

Note

It is not possible to set global session timeouts in AM 7.x via ssoadm; this is a known issue: OPENAM-18304 (Cannot set session-max-session-time with ssoadm using set-attr-defs). You can either use the console to set global session timeouts or set them at the realm level as detailed in How do I configure realm level session timeouts in AM (All versions)?

Configuring global session timeouts

There are two global session timeouts: Maximum Session Time, which is the maximum number of minutes that a session can remain active before a user is required to re-authenticate and Maximum Idle Time, which is the maximum number of minutes that a session can be idle before a user must re-authenticate.

You can configure the global session timeouts using either the console or ssoadm:

  • Console: navigate to: Configure > Global Services > Session > Dynamic Attributes and enter the required number of minutes for the maximum session time and / or maximum idle time.
  • ssoadm: enter the following command for maximum session time: $ ./ssoadm set-attr-defs -s iPlanetAMSessionService -t dynamic -u [adminID] -f [passwordfile] -a iplanet-am-session-max-session-time=[minutes]replacing [adminID], [passwordfile] and [minutes] with appropriate values.
  • ssoadm: enter the following command for maximum idle time: $ ./ssoadm set-attr-defs -s iPlanetAMSessionService -t dynamic -u [adminID] -f [passwordfile] -a iplanet-am-session-max-idle-time=[minutes]replacing [adminID], [passwordfile] and [minutes] with appropriate values.
Note

There is no recommended value for these session timeouts as they depend on your requirements and configuration. For a combination of security and convenience, you should consider setting the maximum session time to a higher value and the maximum idle time to a relatively low value. From a performance perspective, the maximum session time has to be considered when setting the maximum number of sessions. Unless your sessions expire quickly, you will probably need to set a higher limit for active sessions; the number of sessions is relative to the amount of memory being used, which means you need to adjust the Java™ Virtual Machines (JVM) heap size accordingly.

See Also

How do I configure realm level session timeouts in AM (All versions)?

How do I configure user-level session timeouts in AM (All versions)?

How do I configure login page session timeouts in AM (All versions) when using authentication modules?

How do I change the JVM heap size for AM (All versions)?

Best practice for JVM Tuning with G1 GC

Best practice for JVM Tuning with CMS GC

FAQ: General AM

Global Services Configuration

Tuning Instances

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.