Enabling idle timeout for integrated BMC applications
UI idle timeout
UI idle timeout is the maximum length of time that a user remains logged in to integrated BMC applications without making any mouse movements, clicks, or keyboard input.
The following image shows the warning message displayed in an integrated BMC application when the UI idle timeout is reached:
How UI idle timeout works
The following table demonstrates the most frequent real-life examples when the UI idle timeout is effective:
Example A | Example B | Example C | |
|---|---|---|---|
Configuration | One tab with a BMC application | Multiple tabs with multiple BMC applications | Multiple tabs with multiple BMC applications and one tab with a third-party application |
Real-life example | A user Charlotte has one active tab with a BMC application. Then, Charlotte steps away from the desk. In some defined time, a warning message is displayed in an integrated BMC application into which Charlotte is logged in. Charlotte does not refresh the page, so she is logged out from the BMC application she was working in. | A user Charlotte has several active tabs or windows of the same browser with BMC applications that share the same session. Then, Charlotte steps away from the desk leaving all the tabs inactive. A warning message is displayed on one tab only. Charlotte does not refresh the page, so she is logged out from all BMC applications she was working in. | A user Charlotte has several active tabs or windows of the same browser with BMC applications that share the same session and one tab with a third-party application (for example, Bing). Charlotte does not close tabs with BMC applications and does not log out, but switches to Bing in the same browser. If Charlotte continues working in Bing for more than a UI idle timeout period, she is logged out from all inactive BMC applications. |
Before you begin
For the UI idle timeout feature to work seamlessly, the administrator must ensure that the following requirements are met:
- Native UI idle timeout of an integrated BMC application is disabled.
- UI idle timeout is enabled in tenant settings; see Setting-up-tenants.
- Online-refresh is disabled for an OAuth client; see Configuring-OAuth-2-0.
- Single logout is enabled for a realm; see Configuring-general-settings-for-a-realm.
- Infinite session is disabled for the Local, SAML 2.0, and OpenID Connect authentication types; see Configuring-infinite-user-sessions.
- Idle timeout is supported for Auth-Proxy starting from version 22.4. For the BMC Helix SSO agent, idle timeout is supported only starting from version 22.4.01.
Important: If an OAuth client is registered in a SaaS tenant, timeout settings of the SaaS tenant are applied to this client, even if this client is used by other tenants. If an OAuth client is registered not in a SaaS tenant, timeout settings of the tenant where the client is registered are applied to this client.
If Auth Proxy or BMC Helix SSO agent contain the callback_path="/<app_context>/auth/code/callback" setting, in the configuration file (external.conf for Auth Proxy and rsso-agent.properties for the BMC Helix SSO agent), add the _AUTH_VALIDATION_DOMAIN parameter with the following settings:
idle_reset_path = /<_AUTH_VALIDATION_DOMAIN>/_auth/idle/reset
idle_js_resource_proxy_path = /<_AUTH_VALIDATION_DOMAIN>/_auth/resource/js/idle-timeout.js
To enable the UI idle timeout
UI idle timeout is enabled for each tenant separately:
- Log in to the BMC Helix SSO Admin Console as a SaaS administrator.
- On the navigation panel, click Tenant.
- Edit a tenant or create a new one for which you want to enable the UI idle timeout.
- Select the UI idle timeout check box.
- Click Save.
Backend idle timeout
Backend idle timeout is the maximum length of time that a user remains logged in to a BMC application after switching to a third-party application or closing a browser and not logging out of the BMC application. Backend idle timeout is effective if an inactivity period exceeds 15 mins. Backend idle timeout is effective under the following conditions:
- A user closes a PC or a laptop without logout.
- A BMC application is static and no JavaScript polling happens.
If the backend idle timeout happens, a warning message is not shown. A user is logged out automatically.
How a combination of UI and backend idle timeout works
When planning the logout logic based on the idle timeout, note the following scenarios:
Scenario | Use case | Configuration |
|---|---|---|
UI idle timeout is less than backend idle timeout (<15 mins) | If a user is inactive in a BMC application, a warning message is displayed. If the user does not refresh the tab, logout happens. |
|
UI idle timeout is more than backend idle timeout (>15 mins) | If a user is inactive in a BMC application, a warning message is not displayed, and logout happens automatically. |
|
UI idle timeout is equal to backend idle timeout (=15 mins) | Logout depends on the prerequisites fulfilled. If prerequisites of the UI idle timeout are met, then a warning message is shown. If prerequisites of the backend idle timeout are met, then logout happens automatically. |
|
To configure idle timeout settings
Idle timeout settings can be modified in the BMC Helix SSO Admin Console (version 22.4.01 and later) :
- Log in to the BMC Helix SSO Admin Console as a SaaS administrator.
- On the General page, in the Basic tab, go to the Idle Timeout Settings section and modify the following fields:
- Backend Idle Timeout Allowed Time—Indicates the time that triggers the backend idle timeout.
- UI Idle Timeout Allowed Time—Indicates the time that triggers the UI idle timeout.
- UI Idle Timeout Warning Time—Indicates the time of a warning message. For example, if set to 2 min, the warning message is displayed 2 min before a user is logged out.
3. Click Save.