Specifying Authentication Defaults - Novell ACCESS MANAGER 3.1 SP2 - IDENTITY SERVER GUIDE 2010 Manual

When you configure protected resources to use different contracts with different timeouts, they can
keep each other alive when they share the same activity realm. If protected resources should not
affect each other's activity, they must not share a common activity realm.
You can assign a contract to multiple activity realms. With this configuration, activity on a resource
updates the time lines of all activity realms associated with the contract. As long as one of the
activity realms has activity within the contract's timeout limit, the user's session remains
authenticated.
Activity realms are defined by specifying a name, and the names are case insensitive. Use a comma-
separated list to specify multiple names. The system has two default realms that you can use:
 Any: Leave the field blank or specify
long as there is some activity by the user at the Access Gateway or at the Identity Server.
When the Identity Server receives an assertion from another Identity Server that cannot be
mapped to a contract, the activity realm is set to
of the Tomcat session. (The Tomcat session timout is set to the greatest timeout value of the
contracts configured for the Identity Server.)
NIDPActivity: Specify

by the user can be used to keep the user's session alive.
When you place multiple contracts in the same activity realm, you need to plan carefully so that
security limits aren't overruled by activity on less critical protected resources. You also need to
carefully balance the desire for single sign-on with the need to require reauthentication for sensitive
data. Highly sensitive resources are most secure when they are protected by a contract that is created
from its own unique method and that is assigned its own unique activity realm. For more
information, see
SP2 Access Gateway

3.5 Specifying Authentication Defaults

You can specify default values for how the system processes user stores and authentication
contracts. The default contract is executed when users access the system without a specified
contract, and when the Access Gateway is configured to use any authentication.
Additional default contracts can be specified for well-known authentication types that might be
required by a service provider. These contracts are executed when a request for a specific
authentication type comes from a service provider.
1 In the Administration Console, click Devices > Identity Servers > Edit > Local > Defaults.
130 Novell Access Manager 3.1 SP2 Identity Server Guide
NIDPActivity
"Assigning a Timeout Per Protected
Guide.
when you want the user's session to remain alive as
any
with the timeout value equal to the value
any
for the realm when any activity at the Identity Server
Resource" in the Novell Access Manager 3.1