12.2.1.3. Role timeouts

Airlock Gateway enforces access control based on roles that Airlock IAM grants to a user's session.

If a required role is missing, Airlock Gateway redirects the user's browser or client to Airlock IAM to obtain this role.

To enforce the renewal of authentication, roles can be removed after some time. Airlock Gateway supports the following timeouts on roles:

Idle timeout
Maximum accepted duration for a session without activities. If the inactivity duration is exceeded for a role, then this role is deleted from the session.
Lifetime timeout
Maximum accepted duration for a session regardless of its activities. If the lifetime duration is exceeded for a role, then this role is deleted from the session.

Role timeout handling in the Airlock Gateway

Roles are transmitted to the Gateway with the following syntax:

copy
<role-name>[:idle-timeout-in-seconds[:life-timeout-in-seconds]]

Multiple roles with timeouts can be transmitted to the gateway in a single request.

If a request contains the same role multiple times, the last occurrence of the role will be used by the gateway.

If a timeout is omitted or it is set to 0, the gateway will apply its own timeout settings as the default.

  • Example:
strong
strong::
strong:0:0
No timeout is specified by IAM and the gateway applies its own defaults for both idle timeout and lifetime.
strong:600:
strong:600:0
Idle timeout is specified at 10 minutes.
Lifetime depends on gateway default settings
strong:600:1800
Idle timeout is specified at 10 minutes.
Lifetime is specified at 30 minutes.

Configuration

The configuration presented here applies to the Loginapp REST API/UI only.

  • 1.
    Go to:
    Loginapp >> Authentication Flows >> {{Target Application}}
  • 2.
    Create a Generic Gateway Roles plugin in the Airlock Gateway Roles property.
  • 3.
    Configure a Role Provider.
  • 4.
    Optionally configure a Timeout Provider.
  • All roles from the role provider are added to the session on the gateway with the configured timeouts.
  • 5.
    Repeat steps 2 - 4 to configure additional roles from different sources.

IAM currently supports multiple different plugins to configure Airlock Gateway Roles. It is recommended to always use the Generic Gateway Roles plugin. It is more flexible and will supersede the older plugins.

User-specific role timeouts

A User Specific Timeout Provider assigns timeouts based on the value of a context data item. If the value matches, a special timeout is assigned. If not a default timeout is used.

Example:

This can be used to match the company attribute with a configured value. All employees of this company will then have a different set of timeouts from the rest of the users.

Further information and links