Assigning A Timeout Per Protected Resource - Novell ACCESS MANAGER 3.1 SP2 - ACCESS GATEWAY GUIDE 2010 Manual

1.3.6 Assigning a Timeout Per Protected Resource

If all your resources are using the same contract and you want them all to have the same timeout for
inactivity, you set the Authentication Timeout option on the contract to the required limit and leave
the Activity Realm option blank. The user logs in, and activity by the user on any resource keeps the
user's session active. The user is prompted to reauthenticate only when the user has no activity on
any resources for longer than the authentication timeout value.
If you have some resources that require a shorter timeout than other resources, you need to balance
the need for single sign-on with the timeout requirements:
To strictly enforce a timeout, the resource needs to be assigned to a custom contract.
To preserve single sign-on, resources need to be assigned to the same contract.
The protected resource is assigned to use a contract, and the timeout is assigned to the contract. For
information on how to configure the contract, see
Novell Access Manager 3.1 SP2 Identity Server
The following sections describe four configuration scenarios and the user experience that they
create.
Scenario 1: If strictly adhering to the timeout value is more important than preserving the session or
single sign-on, configure your resources as follows:
Protected resource 1 (PR1) is configured to use contract 1 (C1), which has been created from
method 1 (M1) and placed in its own activity realm (AR1). For this scenario you set the
authentication timeout to 30 minutes.
Protected resource 2 (PR2) is configured to use contract 2 (C2), which has been created from
method 2 (M2) and placed in its own activity realm (AR2). For this scenario, you set the
authentication timeout to 15 minutes.
With this scenario, the user is prompted to log in when accessing PR1 and when accessing PR2.
Each resource has its own time line, because each resource belongs to its own activity realm.
1-3 illustrates this scenario.
Login Requirements with Separate Methods and Separate Activity Realms
Figure 1-3
0 5
PR1,C1,M1,AR1
x x
AR1 time line
PR2,C2,M2,AR2 x x x
AR2 time line
After authenticating to both resources and remaining active on both resources for the first 10
minutes, the sessions remain active. The user then stays active on PR1 without accessing PR2 for
over 15 minutes. The AR1 time line is updated with this activity. The AR2 time line is not updated.
When the user accesses PR2 after more than 15 minutes of inactivity on the AR2 time line, the user
is prompted to authenticate. The user then returns to PR1 after over 20 minutes of inactivity, but
AR1 time line shows activity within the 30-minute timeout. The user is granted access and does not
need to log in again to access PR1.
In this scenario, the resources are independent of each other and do not influence each other's
timeout limits.
Guide.
10 15 20 25 30 35
x x
x
Configuring the Access Gateway to Protect Web Resources
"Configuring Authentication
40 45 50
minutes
x
Contracts" in the
Figure
35