Session quotas
AM lets you limit the number of active sessions for a user by setting session quotas. Use this feature, for example, to prevent a user from logging in from more than two devices at once, mitigating scenarios where user passwords could’ve been compromised.
AM’s support for session quotas requires server-side authenticated sessions.
Configure session quotas and exhaustion actions
The session quota applies to all authenticated sessions opened for the same user (as represented by the user’s universal identifier). To configure session quotas and exhaustion in AM, perform the following steps:
-
In the AM admin UI, go to Configure > Global Services > Sessions > Session Quotas.
-
From the Enable Quota Constraints drop-down menu, choose
ON. -
On the Set Resulting behavior if session quota exhausted property, set one of the following values:
DENY_ACCESS-
Deny access, preventing the user from creating an additional authenticated session.
DESTROY_NEXT_EXPIRING-
Remove the next authenticated session to expire, and create a new session for the user. The next session to expire is the session with the minimum time left until expiration.
This is the default setting.
DESTROY_OLDEST_SESSION-
Remove the oldest authenticated session, and create a new session for the user.
DESTROY_OLD_SESSIONS-
Remove all existing authenticated sessions, and create a new session for the user.
If none of these session quota exhaustion actions fit your deployment, you can implement a custom session quota exhaustion action. Find an example in Customize server-side session quota exhaustion actions.
-
Go to Realms > Realm Name > Services > Session.
-
On the Set Active User Sessions property, configure the maximum number of concurrent authenticated sessions a user can have.
You can also change this setting globally for the AM site in Configure > Sessions > Dynamic Attributes.
-
Click Save Changes.