Enforce Timeouts across Multiple Realms

User session timeouts are governed by the realm that the user first logs into. If a user enters a new realm through User session timeouts are governed by the realm that the user first logs into. If a user enters a new realm through , the time-out values for the new realm are still governed by the session that was established by the initial login at the first realm. If you have different time-out values for different realms, and you want to have each realm use its own time-out values, you can override the time-outs of the original realm.
sm1252sp1
User session timeouts are governed by the realm that the user first logs into. If a user enters a new realm through
CA Single Sign-On
User session timeouts are governed by the realm that the user first logs into. If a user enters a new realm through
CA Single Sign-On
, the time-out values for the new realm are still governed by the session that was established by the initial login at the first realm. If you have different time-out values for different realms, and you want to have each realm use its own time-out values, you can override the time-outs of the original realm.

A user who has already timed out cannot log in to another realm without being rechallenged. For example, if the Idle Timeout in Realm1 is 15 minutes and the Idle Timeout in Realm2 is 30 minutes, a user who accumulates 20 idle minutes in Realm1 will be challenged upon logging in to Realm2.
To override the time-outs of the original realm, configure your Web Agent and realms as described in the following process:
  1. Set the value of the EnforceRealmTimeouts parameter to yes.
  2. Use the Administrative UI to do the following tasks:
    1. For each realm where you want to supersede the original time-outs (any realm that SSO functionality allows the user to access), do the following:
      • To override the Maximum Timeout value, create a response using the WebAgent-OnAuthAccept-Session-Max-Timeout response attribute.
        The login time is the basis for the user session start time and the WebAgent-OnAuthAccept-Session-Max-Timeout value is calculated from the time the user session has started.
      • To override the Idle Timeout value, create a response using the WebAgent-OnAuthAccept-Session-Idle-Timeout response attribute.
    2. Bind each of the previous responses to an OnAuthAccept rule.