Session limits typically cover 4 main items: total number of sessions a user can have at any one time, the max length of each session, the max idle time and max caching time.
In an out of the box deployment in ForgeRock AM, these settings are configured via the session service. However there are few tweaks than can be made to allow these settings to be run via a per user or per tree flow. For example. think of the following scenario - user is logging via a device, location or network that has a higher risk rating.
Perhaps you would like to reduce session length on a BYOD device running an out of support version of Android to have a length of only 15 minutes. If they switched back to their main trusted device, we can spin that back to 1hr.
Another example, could be the spotting of a higher suspicion of bot activity for a particular user. Maybe we need to set the entire quota limit to 1, to stop a bot spawning multiple sessions with the same credentials.
This is all pretty trivial to do.
First, add the session on a per user basis. Navigate to the user identity in the UI and simply add in the session service:
You could of course add that service programatically. It's an entry on the user's profile within the idRepo and use a connector via IDM or a simple REST call.
So how can we alter dynamically? Well in AM 7.0, we have extended the scripted decision bindings, so they can access the profile store directly - basically a getter/setter methods to read and write profile data.
As the session service on the user is essentially a set of LDAP attributes added to the user profile, we can alter directly as we please, during an authentication tree flow.
Clearly the scripting aspect could be used to increase or decrease the main session service values as necessary. The four attributes to manipulate are:
"iplanet-am-session-max-caching-time"
"iplanet-am-session-quota-limit"
"iplanet-am-session-max-session-time"
"iplanet-am-session-max-idle-time"
These should be pretty self explanatory.
A basic script to reduce session length to 1 minute could look like the following:
//Set max session length
var sessionMaxTime = "iplanet-am-session-max-session-time";
var sessionMaxTimeValue = "1"; //minutes
logger.message("Set Session Script: " + sessionMaxTime + " " + sessionMaxTimeValue + " for user " + currentUser);
idRepository.setAttribute(currentUser, sessionMaxTime, [sessionMaxTimeValue]);
Comments
Post a comment