Role-timeouts for acquired roles (JSP Loginapp)

The validity of acquired roles can be limited to a time period, i.e. a role may be associated with timeouts:

  • Role Idle-Timeout: The role is lost after no activity on the corresponding Airlock Gateway (WAF) session for the specified amount of time.
  • Role Life-Timeout: The role is lost after the specified amount of time (independent of the session activity).

Role-timeout syntax

When specifying an acquired role in the configuration (e.g. step-up configuration or role granted by an authenticator), use the following syntax:



  • strong: no timeout
  • strong:600: idle timeout is 10 minutes
  • strong:600:1800: idle timeout is 10 minutes, life-timeout is 30 minutes

Note that the life-timeout must be >= the idle-timeout.

Valid example: strong:600:1800

Invalid example: strong:600:500


Assume a user acquires the role "strong" (e.g. by a step-up process).

Let the role be granted with:

  • Idle-timeout 10 minutes
  • Life-timeout 30 minutes

The configured step-up-role is: strong:600:1800

  1. The role is lost after 30 minutes in any case
  2. The role is lost after 10 minutes of inactivity on the Airlock Gateway (WAF) session


Role-timeouts are enabled by default, i.e. no special configuration settings have to be made.

To turn the feature on and off in the configuration:

  • Go to the Airlock Gateway (WAF) Settings within the Loginapp configuration
  • Enable/disable the feature by setting/unsetting the checkbox Airlock Gateway (WAF) Handles Timeout Roles.