User Session and Single Sign-On

Document created by RSA Information Design and Development on Jul 14, 2016Last modified by RSA Information Design and Development on Sep 15, 2017
Version 17Show Document
  • View in full screen mode
  

In an SSO Agent deployment, a user session controls the length of time that a user's authentication to the application portal and applications can apply to other applications in the portal. The user session enables single sign-on to applications in the portal.

A user session starts when the user successfully authenticates to the application portal and ends after the specified session duration or inactivity timeout has expired or the user signs out of the application portal. You specify the session duration and inactivity timeout in the Cloud Administration Console.

A user session applies to the standard and custom application portals and authentication to all applications within the portal. Also, a user session controls the length of time that a user can use HTTP Federation (HFED) and Trusted Headers applications before being prompted to authenticate again. A user session does not apply to bookmark applications and does not control the length of time that a user can use a SAML-enabled application after authentication.

When a user authenticates to the application portal, the user can access all applications assigned to the default access policy (Allow All Authenticated Users) for the session duration or until the user signs out of the application portal.

Within that session, if the user successfully authenticates to an application that requires additional authentication, then the user can access other applications with the same assurance level or lower as the first application without completing additional authentication.

Within that session, if the user accesses an application with a higher assurance level, the user is prompted for the required additional authentication.

When the user signs out of the application portal or the session duration or inactivity timeout expires, the user must re-authenticate to the application portal.

 

Example

The session duration is 720 minutes (default). The inactivity timeout is 20 minutes (default). The application portal contains three applications with the following details.

                        
Application Details
Application A Additional authentication is not required.
Application B Medium assurance level (SecurID Token or Fingerprint)
Application C Low assurance level (Approve or Authenticate Tokencode)
 
  1. The user authenticates to the application portal. The session duration of 720 minutes starts.
  2. The user opens Application A in the portal without additional authentication.
  3. The user authenticates to Application B using SecurID Token instead of Fingerprint because his Authenticate device is charging.
  4. The user accesses Application C in the portal. Because the user has authenticated to Application B (with a higher assurance level) within the same session, RSA SecurID Access opens Application C without prompting the user for additional authentication.
  5. The user does not use the application portal or protected applications for 25 minutes. The user then tries to access Applications A, B, and C in the portal. Because the 20-minute inactivity timeout has expired, RSA SecurID Access displays the portal sign-in page for the user to re-authenticate.
  6. The user authenticates to the application portal. The session duration of 720 minutes starts again.

 

 

Next Topic:Access Policies
You are here
Table of Contents > Assurance Levels > User Session and Single Sign-On

Attachments

    Outcomes