Howto tell difference between subjects, sessions and principals

  • 7007323
  • 07-Dec-2010
  • 26-Apr-2012


Novell Access Manager 3.1 Windows Novell Identity Server
Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 Linux Access Gateway


Many Access Manager statistics screens include information about user sessions, subjects and principals. For example, when enabling IDP logging on the Identity Server, the option exists to enable Statistics. When this statistics based logging is enabled, the catalina.out file on both the Identity (IDP) and Access Gateway (LAG) servers will log details about how many user sessions exist on that host, how many subject along with the number of principals. A snippet of the Statistics output is shown below:

<amLogEntry> 2010-12-08T17:50:55Z VERBOSE NIDS Statistics:
NIDPMonitor: Tick: 2
  System Status
   Initialization State: Started
   Total Sessions: 19
   Total Subjects: 11
   Total Principals: 29
   System Memory
    Free Memory: 8.8934854E8
    Total Memory: 1.03795917E9
    Percent Free: 85.68242


A session indicates the total number of tomcat sessions into that host (accessing either the IDP or the ESP (on the LAG)). When a user accesses the IDP or ESP, and gets a JSESSIONID cookie assigned, then this is the equivalent of a session. Opening a second browser on the same host and accessing the same service with generate a second JSESSIONID, and increment the session count.

A subject is a unique identifier for the user that has logged in. If a user logs in with the same unique userID from multiple different hosts or browsers on the same host, a single subject will be created and not multiple.

A principal indicates how many federated identities exist for each authenticated subject on that host. If multiple users have SAML federations with multiple SAML service providers, the principal count will indicate the number of federated identities for all subjects on the host.

Looking at a practical example: Assuming no users have accessed the Access Manager setup. The first user logs in and we monitor the statistics on the IDP server .. we will see

- one session; one subject; zero or many principles based on number of federated identities (nidsGUID entries for that subject)
Now, we open another browser on the same host and login again to the Identity server with the same userID. We will now see

- two sessions; one subject; same number of principles
Finally, we open another browser on the same or a different workstation, and login with a new userID. We will see ..

- three sessions; 2 subjects; more principles
The principals can often be seen in the catalina.out file when the DEBUG logging is enabled. A typical entry would look as follows:
DN cn=admin,o=novell GUID 810de4119743d711a8d400c04fb1d4e2
Full Name Admin User Authority Id cn=USx4jza1,cn=An1f414,cn=SCCh9zn7g,cn=cluster,cn=nids,ou=accessManagerContainer,o=novell
Authority Name Paddy User Store
Subject Id 7
Provided Identities nFUYWar6PPPGtsOU4bLAl+22y5vgtseZRyZyaQ== zJRWebeIjW7N45bBtOeWyLzrmcq/6pzCHH0pMg==
Consumed Identities pXMBjsvFUKrr/ovcqPqN26T3g9Cv/4jWkPi32Q== local 810de4119743d711a8d400c04fb1d4e2