Configuring the user session ID for the federation runtime

Edit online

Customize the user session ID header name so that you can track user sessions, end sessions, or sign out a particular user from a web reverse proxy point of contact server.

Before you begin

Set your web reverse proxy to enable the creation of unique user session IDs. The following stanza and entry must be set: 
[session]
user-session-ids = yes
See User session management for back-end servers for general information.

About this task

The federation runtime uses user session ID information to log out the user from the web reverse proxy.

The user session ID uniquely identifies a specific session for an authenticated user and is stored as a part of credential information of the user.

The federation runtime obtains the user session ID from the web reverse proxy. The web reverse proxy sends the user session ID to the federation runtime in an HTTP header. To accomplish this, configure the web reverse proxy and federation runtime to use the same header name.

Procedure

  1. For the federation runtime, update the advanced configuration property, poc.signOut.userSessionRequestHeader by using the local management interface:
    1. Select Federation > Global Settings > Advanced Configuration.
    2. Locate poc.signOut.userSessionRequestHeader in the list, select it, and click Edit.
    3. Enter the header name that you want to use for the user session ID and click Save.
      For example, specify my_user_session_id.
    See Managing advanced configuration.
  2. Optional: For the web reverse proxy, update the junction to delete an existing user_session_id by using the following command: 
    pdadmin -a sec_master -p password object modify /WebSEAL/fedname-webseal/junction_name 
  delete attribute HTTP-Tag-Value user_session_id=user_session_id
    Where:
    password
    Specifies the password for sec_master.
    fedname
    Specifies the name of the federation.
    webseal
    Specifies the name of the web reverse proxy server.
    junction_name
    Specifies the name of the junction.
    user_session_id
    Specifies the existing name that was defined for the session ID.
    For example: 
    pdadmin -a sec_master -p ipadminpw object modify   
  /WebSEAL/saml20-ip-ipwga/isam 
  delete attribute HTTP-Tag-Value user_session_id=user_session_id
    This command deletes the existing user_session_id.
  3. For the web reverse proxy, update the junction to use the poc.signOut.userSessionRequestHeader property value you defined in step 1. Add this customized attribute value by using the following command: 
    pdadmin -a sec_master -p password object modify /fedname-webseal/junction_name 
  set attribute HTTP-Tag-Value user_session_id=user_session_ID
    Where:
    user_session_id
    Specifies the value from step 1. For example, my_user_session_id.
    For example: 
    pdadmin -a sec_master -p ipadminpw object modify /WebSEAL/saml20-ip-ipwga/isam 
  set attribute HTTP-Tag-Value user_session_id=my_user_session_ID

    This command changes the value for the web reverse proxy to my_user_session_ID.

Results

The federation runtime and the web reverse proxy have the same header name.