We are implementing an application for Internet users with single sign on. Customer has a timeout requirement after certain period of time being inactive. I have located three places for timeout settings in Authentication Service rule form. What are the differences between these three, and what is recommended to use.
1. "Custom Authentication Activity"
2. "Use PegaRULES Timeout"
3. "Use Basic Authentication for Timeout"
***Edited by Moderator Marissa to update platform capability tags***
First of all, the help you are pointing to is incorrect. The options you are giving are for SAML2.0 - and, since this is for Internet users, as I described, we are not using SAML 2.0. If you look at CUSTOM tab, that provides two timeout options as I attached above. "Use PegaRULES timeout" and "Use Basic Authentication for Timeout".
Secondly, we have gone through these helps and are asking what are the pros and cons for using these three options.
Use PegaRULES Timeout: Select to use the authentication timeout value specified in the user access groups to determine how long a user session can remain inactive before users are prompted to identify themselves again. Leave this option cleared if timeout is managed by the application server or other external facility.
This will be available at (OperatoràAccess GroupàAdvancedàAuthentication Timeout) you have to specify the timeout value in seconds .
Use Basic Authentication for timeout: Select to use the Basic Authentication browser pop-up window to gather credentials when a user's session times out.
Custom Authentication Activity : You have to write your own steps for timeout settings .
If your handling timeout from SSO then you can use Basic Authentication for Timeout .
If you want to use show a warning message before the timeout happens you can use OOTB pxSessionTimer section .
For more into timeouts and pxSessionTimer go through below article
#1. Why are these three options mutually selectable? If all of them are enabled, which setting is applied over other two?
#2. Our application is for unknown Internet users and that is why we are implementing SSO. We need to build it such way that there is no "log in" concept for them as there is no even username issued for them. In which case there is no point of popping up to enter username and password. "Use PegaRULES Timeout" will pop up a window so this is not applicable for our application. If "Use Basica Authentication for Timeout" pops up a window then isn't it applicable for us either, is it?
#3. What is the behavior for "Custom Authentication Activity" timeout?
Can you explain more on your requirement. your post says "We are implementing an application for Internet users with single sign on. " and here I see "we need to build it such way that there is no "log in" concept for them as there is no even username issued for them"
how are you allowing users to access the application? Have you created any guest user and saving all the rules within unauthenticated rulesets ?
You could directly use Mashup for your requirement where you want to allow access to unknown users to use the application. In case of Mashup, the timeout happens using IACTimeout and based on the requestor session.
you can try using timeout setting in prconfig level using below environment variables.
<env name="timeout/browser" value="xxx in seconds" />
No, we haven't saved all rules into unauthenticated ruleset. We have very few rules in unauthenticated ruleset. When Internet users access Pega at .../prweb/PRServletCustom, authentication service gets triggered. In the fired activity, prebuilt user "guest" is Obj-Opened and log in as "guest" who has "MyApp:Consumers" access group which has less AROs than PegaRULES:User1 but a bit more than PegaRULES:Guest (We are reviewing it).
In that sense, it is a single sign on with always the same user "guest", but Internet users are not aware of such log in concept as they never type in username and password. That was what I meant.
Now, we did not deploy Mashup (formerly IAC) because we don't have any company portal to embed in, and Internet user directly comes in to Pega. We basically did Save As from IAC stuff, and modified some of them such as authentication activity. Now back to my original question. With all above explanations, what is the best approach for timeout settings?
For your last comment, browser timeout is NOT authentication timeout but passivation timeout, which has nothing to do with each other. If browser timeout occures after certain time, clipboard information is passivated. Then, Internet user moves mouse and it gets activated from passivation data in database table and they can resume their operation My question is not that, but specific to authentication timeout. Hope I have clarified everything.
Seems like you are asking for an answer to a business requirement that has not been clearly explained.
What is the business requirement?
Also you can have timeouts implemented at the application server and load balancer as well. If you have an application that does not have a concept of an user Id and more of a temporary session why not just kill the users session completely at the load balancer?