Novell ACCESS MANAGER 3.1 SP1 - IDENTITY SERVER Manual page 17

This is a security setting:
Lower it if you want idle sessions to time out with a smaller window of opportunity for
someone to take over a session of a user who takes a break, leaving an active session
unattended.
Increase it if you want to allow idle users to have a longer time period before they are
forced to log in again.
If the resource is configured to use Basic authentication, the session times out, but the browser
must be closed to terminate the session.
Limit User Sessions: Specify whether user sessions are limited. If selected, you can specify
the maximum number of concurrent sessions a user is allowed to authenticate.
If you decide to limit user sessions, you should also give close consideration to the session
timeout value (the default is 60 minutes). If the user closes the browser without logging out (or
an error causes the browser to close), the session is not cleared until the session timeout
expires. If the user session limit is reached and those sessions have not been cleared with a
logout, the user cannot log in again until the session timeout expires for one of the sessions.
When enabled, this option affects performance in a cluster with multiple Identity Servers.
When a user is limited to a specific number of sessions, the Identity Servers must check with
the other servers before establishing a new session.
Allow multiple browser session logout: Specify whether a user with more than one session to
the server is presented with an option to log out of all sessions. If you do not select this option,
only the current session can be logged out. Deselect this option in instances where multiple
users log in as guests. Then, when one user logs out, none of the other guests are logged out.
When you enable this option, you must also restart any Embedded Service Providers that use
this Identity Server configuration.
7 To configure TCP timeouts, fill in the following fields:
LDAP: Specify how long an LDAP request to the user store can take before timing out.
Proxy: Specify how long a request to another cluster member can take before timing out.
When a member of a cluster receives a request from a user who has authenticated with another
cluster member, the member sends a request to the authenticating member for information
about the user.
Request: Specify how long an HTTP request to another device can take before timing out.
8 To control which protocols can be used for authentication, select one or more of the following
protocols:
Liberty: Uses a structured version of SAML to exchange authentication and authorization data
between trusted identity providers and service providers and provides the framework for user
federation.
IMPORTANT: If you are using other Access Manager devices such as the Access Gateway,
SSL VPN, or the J2EE Agents, you need to enable the Liberty protocol. The Access Manager
devices use an Embedded Service Provider. If you disable the Liberty protocol, you disable the
trusted relationships these devices have with the Identity Server, and authentication fails.
SAML 1.1: Uses XML for exchanging authentication and authorization data between trusted
identity providers and service providers.
SAML 2.0: Uses XML for exchanging encrypted authentication and authorization data
between trusted identity providers and service providers and provides the framework for user
federation.
Configuring an Identity Server 17