Timeout configuration - SSO
Introduction
Session timeouts are used in Ubisecure SSO to enhance security. Also known as inactivity timeouts, these can be configured according to the needs of the system as a whole, as well as each individual system or resource to be protected.
The basic principle of session timeouts is that a resource should not be usable if no action has been made after a specified time period. Re-authentication is requested before continued use of the system is permitted.
Timeout Configuration
Timeouts are configured on three or four levels, depending on the authentication components used:
- SSO session
- Ubisecure Application Configuration
- Web Application
- Application integration module / application session
Figure 1. Different levels where timeout can be configured when using a web server filter |
Figure 2. Different levels where timeout can be configured when using an application integration module |
The SSO session timeout value is specified in the Server Security section of the main page of the Ubisecure SSO Management application. This is used as the master maximum timeout value for the system. A separate timeout is also specified for each application used. Time is specified in minutes. The effective SSO session timeout is always the shortest from the following: master timeout and the timeout values of those applications used during the SSO session.
There are different kinds of web applications available for Ubisecure SSO and the type of the application defines whether it has its own timeout settings. Web server filters have timeout settings and application integration modules don't. An example of a web server filter is the Ubisecure Web Application for IIS. An example of an application integration module is Ubisecure SAML SP for Java.
When using a web application that is not directly integrated with the end-user application (see Figure 1), the application also has its own timeout configuration. When using an application integration module that directly integrates with the end-user application, the only timeout setting is the end-user application session timeout (see Figure 2).
The effective session timeout from the application user point of view is always the application session timeout. This means that user can continue to use the application until application session times out. If the SSO session timeout is shorter than the application session timeout and user tries to start using another application after the SSO session has timed out, he has to log in again. If it is important to keep SSO session open the whole time that the user is using some Ubisecure SSO protected application, the SSO session has to be refreshed from the application. There are several ways to do this, which are discussed later in this document.
SSO session timeout is checked only when a request is made to Ubisecure SSO. If the timeout has been exceeded, the user is forced to re-authenticate. If re-authentication is successful, access is granted to the protected resource.
SSO Session Level
The overall system timeout value is specified in the Server Security section of the main page of the Ubisecure SSO Management application. See Figure 3.
Figure 3. Server security configuration in Ubisecure SSO Management |
Changes to this value requires Ubisecure SSO restart.
Ubisecure Application Configuration Level
For each web application used, there is a Ubisecure SSO level setting for the SSO session timeout. This timeout is transferred to the actual web application in the activator file used for activation. For troubleshooting, confirm that the value of the com.ubisecure.ubilogin.uwa.timeout
variable is set correctly in minutes:
com.ubisecure.ubilogin.uwa.timeout=60
Figure 4. Web Application configuration in Ubisecure SSO Management |
The value visible in the Ubisecure web application screen (see Figure 4) may be later changed at the web application level. Changes made only at the web application level after activation will not be reflected in the Ubisecure SSO Management application.
If session timeout is set to 0, it uses server session timeout value. Minimum value for single sign-on session timeout is 1 minute.
The session timeout can also be set separately for individual SAML Service providers. When Ubisecure SSO receives an authentication request from a SAML service provider, the SSO session timeout is refreshed. The new value will be either the system level timeout or the application level timeout, depending on which one is shorter.
Web Application Level
In a solution where web server filters are used there is also a session timeout in the web application level. There are many different web server filters available. In here we will show session timeout settings for Ubisecure Web Application for IIS as an example.
Timeout when using WS-Federation protocol
When using WS-Federation protocol, Web Application timeout is also used as the lifetime of a WS-Federation token. This is done to ensure interoperability with Microsoft SharePoint 2010, which uses token's lifetime to determine the lifetime of the application session.
IIS Application Inactivity Timeout
The timeout value of a virtual directory is set using the Ubilogin tab of the server properties in Microsoft IIS. See Figure 5.
Initially, these values are set when the activator file is imported. After the activator file is imported, it is possible to change the value.
The value Ticket Lifetime(min) specifies the timeout value in minutes. Pre-set values can be selected from the drop down menu or the desired value can be entered directly.
Figure 5. Setting the Ticket Lifetime in the Ubilogin tab of IIS virtual directory properties |
Application Level
When using Web application and your server does not implement session management, i.e., it does not redirect requests to the Ubisecure SSO after a specified period of time, the session will timeout using the value defined in the activator file, which is the value defined in the application configuration window.
The Web Application will invoke the redirection to the Ubisecure SSO on the following HTTP/S request from the user, after the activator file timeout has expired.
ASP.NET Inactivity Timeout
The inactivity timeout for an application is set in the Forms Authentication settings section of the web.config
configuration file.
<authentication mode="Forms" > <forms loginUrl="~/spsso.ashx" <!-- Inactivity timeout in minutes. Must be set lower than the value in Ubisecure SSO Management --> timeout="10" slidingExpiration="true" /> </authentication>
The timeout property is used to specify a limited lifetime for the forms authentication session within ASP.NET. The default value is 30 minutes. The slidingExpiration property is set to true to enforce a sliding session lifetime. This means that the session timeout is periodically reset as long as a user stays active on the site. Both values should be set explicitly, as the default values of each have changed between different versions of IIS.
After the set timeout has been reached, a request is made to Ubisecure SSO via spsso.ashx. If either the Site's global or Web Application's Single Sign-On Session Timeout (minutes) value has been exceeded, re-authentication of the user is requested. Otherwise, no re-authentication is performed and these inactivity timeouts are also reset.
For this reason, the timeout value defined in the web.config file should be set to a slightly smaller value than the shortest setting in Ubisecure SSO.