Soft versus hard timeouts with Access Manager

  • 7002500
  • 29-Jan-2009
  • 26-Apr-2012


Novell Access Manager 3 Linux Access Gateway
Novell Access Manager 3 Windows Novell Identity Server
Novell Access Manager 3 Linux Novell Identity Server
Novell Access Manager 3 Access Administration


When configuring the Novell Identity (IDP) Server, a session timeout parameter is available that defines a session inactivity timer for users authenticating to the IDP server. This timeout value is also passed to any service provider (ESP) component that has a Liberty relationship with the IDP server, such as a Linux Access Gateway (LAG), SSLVPN server or Java agent.

Session Timeout: The session inactivity time allowed before timing out. This is a global setting that applies any to resource that authenticates to this Identity Server or Identity Server cluster. The default setting is 60 minutes. However, when using Basic authentication and SSL mutual authentication, the browser must be closed to terminate the session.

This session timeout is also known as the hard timeout and is visible in many of the component log files when running in debug mode.

These remote ESP components then calculate a seperate, soft, timeout that is 66% of the 'Hard timeout' value (the actual session timeout configured on the IDP server). If the ESP gets a request from a browser after an idle period of more than this soft timeout, but less than the hard session timeout, then the ESP component has to renew the session with IDP server. This is done by redirecting the browser to IDP, even if the session is active. After the session renewal request, the IDP will just redirect back to the ESP with new soft and ard timeout values.

If we get a request into the ESP after the Hard timeout set by IDP server has expired, the ESP has to renew the session with IDP by redirecting the browser to IDP, where the user will be prompted to reauthenticate. After this re-authentication, the browser is redirected back to ESP with new timeout values.