Using Activity Realms

Activity realms are used when Access Manager uses multiple contracts to protect resources that require different activity timeouts. Activity realms allow you to define how activity at one protected resource affects the activity timeout at another protected resource.

An activity realm represents a time line that tracks the last activity for any resource that is protected by a contract assigned to the activity realm. When a protected resource is accessed, the activity realm associated with the contract is marked as active. The contract times out for a protected resource when the elapsed time for activity on the activity realm is greater than the time limit specified in the contract.

For example, you create an activity realm called shared1 and assign it to contract C1 with a timeout of 30 minutes and to contract C2 with a timeout of 15 minutes. Any activity at the resource protected by C1 or C2 marks activity to the shared1 time line. Figure 5-2 illustrates this scenario.

Figure 5-2 Two Contracts Sharing an Activity Realm

In Figure 5-2, the user logs into PR1 at time 0, then logs into PR2 at time 6. During the next 30 minutes, the user is active on PR1. The time line for the shared1 activity realm is updated with the user’s activity. The user then access PR2 at time 38. Even though no activity has taken place on PR2 for more than the 15-minute contract time-out, PR2 does not time out because activity has occurred within this time at PR1 and because the resources share the same activity realm. Assigning two or more contracts to the same activity realm allows the contracts to influence the time-outs of the other contracts in the activity realm.

When you configure protected resources to use different contracts with different time-outs, they can keep each other alive when they share the same activity realm. If protected resources must not affect each other's activity, they must not share a common activity realm.

You can assign a contract to multiple activity realms. With this configuration, activity on a resource updates the time lines of all activity realms associated with the contract. As long as one of the activity realms has activity within the contract’s time-out limit, the user’s session remains authenticated.

Activity realms are defined by specifying a name, and the names are case insensitive. Use a comma-separated list to specify multiple names. The system has two default realms that you can use:

  • Any: Leave the field blank or specify any when you want the user’s session to remain alive as long as there is some activity by the user at Access Gateway or at Identity Server.

    When Identity Server receives an assertion from another Identity Server that cannot be mapped to a contract, the activity realm is set to any with the time-out value equal to the value of the Tomcat session. (The Tomcat session timeout is set to the greatest time-out value of the contracts configured for Identity Server.)

  • NIDPActivity: Specify NIDPActivity for the realm when any activity at Identity Server by the user can be used to keep the user’s session alive.

When you place multiple contracts in the same activity realm, plan carefully so that security limits aren’t overruled by activity on less critical protected resources. You also need to carefully balance the desire for single sign-on with the need to require reauthentication for sensitive data. Highly sensitive resources are most secure when they are protected by a contract that is created from its own unique method and that is assigned its own unique activity realm. For more information, see Assigning a Timeout Per Protected Resource.