The validity of acquired roles can be limited to a time period, i.e. a role may be associated with timeouts:
- ●Role Idle-Timeout: The role is lost after no activity on the corresponding Airlock Gateway (WAF) session for the specified amount of time.
- ●Role Life-Timeout: The role is lost after the specified amount of time (independent of the session activity).
Role-timeout syntax
When specifying an acquired role in the configuration (e.g. step-up configuration or role granted by an authenticator), use the following syntax:
<role-name>[:idle-timeout-in-seconds[:life-timeout-in-seconds]]
Examples:
- ●strong: no timeout
- ●strong:600: idle timeout is 10 minutes
- ●strong:600:1800: idle timeout is 10 minutes, life-timeout is 30 minutes
Note that the life-timeout must be >= the idle-timeout.
Valid example: strong:600:1800
Invalid example: strong:600:500
Example:
Assume a user acquires the role "strong" (e.g. by a step-up process).
Let the role be granted with:
- ●Idle-timeout 10 minutes
- ●Life-timeout 30 minutes
The configured step-up-role is: strong:600:1800
- 1.The role is lost after 30 minutes in any case
- 2.The role is lost after 10 minutes of inactivity on the Airlock Gateway (WAF) session
Configuration
Role-timeouts are enabled by default, i.e. no special configuration settings have to be made.
To turn the feature on and off in the configuration:
- ●Go to the Airlock Gateway (WAF) Settings within the Loginapp configuration
- ●Enable/disable the feature by setting/unsetting the checkbox Airlock Gateway (WAF) Handles Timeout Roles.