User Session and Single Sign-OnUser Session and Single Sign-On
In an IDR SSO Agent deployment, a user session controls the length of time that a user's authentication to the application portal and applications can apply to other applications in the portal. The user session enables single sign-on to applications in the portal.
A user session starts when the user successfully authenticates to the application portal and ends after the specified session duration or inactivity timeout has expired or the user signs out of the application portal. You specify the session duration and inactivity timeout in the Cloud Administration Console.
A user session applies to the standard and custom application portals and authentication to all applications within the portal. Also, a user session controls the length of time that a user can use HTTP Federation (HFED) and Trusted Headers applications before being prompted to authenticate again. A user session does not apply to bookmark applications and does not control the length of time that a user can use a SAML-enabled application after authentication.
When a user authenticates to the application portal, the user can access all applications assigned to the Allow All Authenticated Users access policy for the session duration or until the user signs out of the application portal.
Within that session, if the user successfully authenticates to an application that requires additional authentication, then the user can access other applications with the same assurance level or lower as the first application without completing additional authentication.
Within that session, if the user accesses an application with a higher assurance level, the user is prompted for the required additional authentication.
When the user signs out of the application portal or the session duration or inactivity timeout expires, the user must re-authenticate to the application portal.
The session duration is 720 minutes (default). The inactivity timeout is 20 minutes (default). The application portal contains three applications with the following details.
|Application A||Additional authentication is not required.|
Medium assurance level (SecurID Token or Device Biometrics)
|Application C||Low assurance level (Approve or Authenticate Tokencode)|
- The user authenticates to the application portal. The session duration of 720 minutes starts.
- The user opens Application A in the portal without additional authentication.
- The user authenticates to Application B using SecurID Token instead of Device Biometrics because his Authenticate device is charging.
- The user accesses Application C in the portal. Because the user has authenticated to Application B (with a higher assurance level) within the same session, SecurID opens Application C without prompting the user for additional authentication.
- The user does not use the application portal or protected applications for 25 minutes. The user then tries to access Applications A, B, and C in the portal. Because the 20-minute inactivity timeout has expired, SecurID displays the portal sign-in page for the user to re-authenticate.
- The user authenticates to the application portal. The session duration of 720 minutes starts again.