Configuring session quotas
You can configure session quotas to limit the number of sessions a user can have active at one time.
PingFederate uses a unique user key attribute to track user sessions for this feature, so browser sessions are counted across browsers and devices. A user session can include multiple browser tabs.
When a user authenticates a new session, PingFederate checks the quota limit. You can configure PingFederate to deny the new session, return an error message, or revoke one or more active sessions when the new session exceeds the quota.
Logging
When a new session exceeds the session quota, PingFederate logs a SESSION_QUOTA_EXCEEDED message to the audit.log file.
Before you begin
-
The session quota feature requires the unique user key attribute to track user sessions. To make user session quotas work, you must have a unique user key attribute defined for each IdP adapter. Learn more in Setting pseudonym and masking options.
-
For clients to check whether a session has been revoked during token exchanges, you must enable the following Session validation settings in your access token manager:
-
Include session identifier in access token
-
Check session revocation status
Learn more in Managing session validation settings.
-
Steps
-
Go to Authentication > Policies > Sessions and scroll down to the Session Quotas section.
-
Select the Enable Session Quota Constraints checkbox.
-
In the Active Session Limit field, enter the number of sessions to limit a user to.
-
In the Session Quota Limit Behavior list, select how PingFederate responds when a new session exceeds the quota.
The following table contains more information about exceeded quota behaviors:
Behavior Description Deny Access
PingFederate denies the new authentication transaction with a
Session limit exceedederror messageDestroy Most Idle Session
PingFederate allows the new authentication session and revokes the existing session with the oldest last activity time
Destroy Old Sessions
PingFederate allows the new authentication session and revokes all other existing sessions. This is similar to password reset behavior.
-
Click Save.