Novell ACCESS MANAGER 3.1 SP2 - IDENTITY SERVER GUIDE 2010 Manual page 19

Default Timeout: Specify the session timeout you want assigned as a default value when you
create a contract. This value is also assigned to a session when the Identity Server cannot
associate a contract with the authenticated session. During federation, if the authentication
request uses a type rather than a contract, the Identity Server cannot always associate a contract
with the request.
The traditional SSL VPN server uses the Any Contract option for authentication. The user is
assigned the timeout value of the contract used for authentication, and not this default timeout
value.
If you want to know what timeout value the SSL VPN user is assigned, you need to select a
contract with the appropriate timeout value. Click Devices > Access Gateways > [Name of
Reverse Proxy] > [Name of Proxy Service] > SSLVPN_Default. The SSLVPN_Default name is
the default name for the SSL VPN protected resource. If you have modified this name, select
that protected resource. In the Authentication Procedure option, select a name/password
contract with the appropriate timeout value.
Limit User Sessions: Specify whether user sessions are limited. If selected, you can specify
the maximum number of concurrent sessions a user is allowed to authenticate.
If you decide to limit user sessions, you should also give close consideration to the session
timeout value (the default is 60 minutes). If the user closes the browser without logging out (or
an error causes the browser to close), the session is not cleared until the session timeout
expires. If the user session limit is reached and those sessions have not been cleared with a
logout, the user cannot log in again until the session timeout expires for one of the sessions.
When enabled, this option affects performance in a cluster with multiple Identity Servers.
When a user is limited to a specific number of sessions, the Identity Servers must check with
the other servers before establishing a new session.
Allow multiple browser session logout: Specify whether a user with more than one session to
the server is presented with an option to log out of all sessions. If you do not select this option,
only the current session can be logged out. Deselect this option in instances where multiple
users log in as guests. Then, when one user logs out, none of the other guests are logged out.
When you enable this option, you must also restart any Embedded Service Providers that use
this Identity Server configuration.
7 To configure TCP timeouts, fill in the following fields:
LDAP: Specify how long an LDAP request to the user store can take before timing out.
Proxy: Specify how long a request to another cluster member can take before timing out.
When a member of a cluster receives a request from a user who has authenticated with another
cluster member, the member sends a request to the authenticating member for information
about the user.
Request: Specify how long an HTTP request to another device can take before timing out.
8 To control which protocols can be used for authentication, select one or more of the following
protocols.
IMPORTANT: Enable only the protocols that you are using.
If you are using other Access Manager devices such as the Access Gateway, SSL VPN, or the
J2EE Agents, you need to enable the Liberty protocol. The Access Manager devices use an
Embedded Service Provider. If you disable the Liberty protocol, you disable the trusted
relationships these devices have with the Identity Server, and authentication fails.
Configuring an Identity Server 19