Topic
  • 2 replies
  • Latest Post - ‏2015-04-08T19:44:59Z by gcurley
BenRambow
BenRambow
3 Posts

Pinned topic SSO Expected behavior within ICN

‏2013-06-19T17:59:58Z |

Hi-

Looking to identify "expected" behavior for ICN with SSO enabled. I've used XT & ICN with Kerberos & TAM SSO flavors in the past, but without it in front of me I cannot remember.

What "should" happen when:

* A user selects Logout

* A user changes desktop via the url or a new browser session opening directly to the other desktop

* A user times out (should there be any timeout with sso enabled?)

 

Thanks-

  • jajuanMike
    jajuanMike
    42 Posts

    Re: SSO Expected behavior within ICN

    ‏2013-06-20T14:39:55Z  

    1) Logout sould be disabled.

    2) Changing the desktop or starting a new browser session  will ICN without being prompted for authentication info.

    3)  There is not a session timeout.  However the Websphere LTPA token could time out.  We document that the LTPA token time should be set longer than the time the user would be using ICN for the day.  If not, the user would have to refresh the browser to get a new token.

  • gcurley
    gcurley
    9 Posts

    Re: SSO Expected behavior within ICN

    ‏2015-04-08T19:44:59Z  

    1) Logout sould be disabled.

    2) Changing the desktop or starting a new browser session  will ICN without being prompted for authentication info.

    3)  There is not a session timeout.  However the Websphere LTPA token could time out.  We document that the LTPA token time should be set longer than the time the user would be using ICN for the day.  If not, the user would have to refresh the browser to get a new token.

    Customer asks:

    ICN timeout of 120 minutes, LTPA timeout of 115 minutes.

    So if they tried to access the application at minute 116 then they would have an expired LTPA token without having hit the application timeout, which you mentioned in an earlier message could result in problems with ICN.  That's what I was trying to ask about earlier, we previously didn't have this possibility because the application timeout was less than the LTPA timeout.  So is this something that we should be concerned about?