Session Timeout for Oracle Single Sign-On Server

Idle Session Timeout is value (in minutes for Oracle Single Sign-On Server) after which user has to re-login, if they are inacte (No Activity / Idle) during that time. It is recommended to set Idle Session time out (Global Inactivity timeout) for security reasons. By default there is No Value set for Idle Session Timeout for Oracle Single Sign-On Server Server which means any application (like portal, discoverer, BI, forms & reports) using Oracle Single Sign-on for authentication will NOT logout user session because of Inactivity (This can be a Security Risk).

Default Session Time Out value for Oracle E-Business Suite 11i/R12 is 30 Minutes to know more about Idle Session timeout in Oracle Apps 11i, R12 check my previous post at Idle Session in Oracle Apps R12, 11i

Default Session Timeout for Apps 11i/R12 integrated with Single Sign-On Server
——————————————————————————–
For Oracle E-Business Suite (Apps 11i/R12) Customers integrated with Oracle Single Sign-On, default session time out for E-Business Suite/11i/R12 is 30 minutes where as no value for SSO which means If Apps User try to access apps after 30 minutes of Inactivity, user will get warning that session timeout and prompted to re-login. This will take user to new window and user without actually typing user name password can re-login to Apps.

The reason behind this security loop hole is that user logged out from Apps 11i/R12 after 30 minutes of inactivity but user cookie is still valid on SSO(as no idle session time out set on SSO Server) and user can re-login to apps without entering password as its authenticated by SSO server.

How to avoid this situation ?
Make Idle Session Timeout for Oracle SSO server in line with Apps 11i/R12

How to set Session Time out or Global Inactivity Timeout for Oracle Single Sign-On Server
—————————————————————————————–

1. Execute ssogito.sql from $ORACLE_HOME/sso/admin/plsql/sso  (on SSO Tier) as orasso schema
2. There are few more steps on SSO server which you can find in link below
 

Oracle Documentation
———————————
Configuring the Global User Inactivity Timeout at Global Inactivity Timeout in Oracle SSO Server

You can subscribe to posts from this site in your mail box from right menu bar and contact me using Contact Us page on this site for feedback and things you like to see on this site.

 

Related Docs

357687.1 – How to Verify if mod_osso Global Inactivity Timeout (GITO) is Working
301894.1 – What is the difference between the SSO session duration timeout and the global inactivity timeout values
340708.1 – Global Inactivity TimeOut (GITO) does not work
561224.1 – Where In The Metadata Repository Database Is The GITO Cookie Name Stored?
445336.1 – SSO Global Inactivity Timeout Is Not Protecting the Customize Link
418385.1 – Interminent 500 Internal Server Error accessing Production with SSO GIT set on Test system

About the Author Atul Kumar

Oracle ACE, Author, Speaker and Founder of K21 Technologies & K21 Academy : Specialising in Design, Implement, and Trainings.

follow me on:

Leave a Comment:

8 comments
Amit Garg says March 31, 2008

Hello All,

We are facing a problem where customer is getting oracle timeout screen after 30 minutes. They have a gatekeeper screen for which they have the login other than Oracle FND users so once a person is logged in thru gatekeeper, they are able to access the applications but if a timeout happens, it navigates to oracle standard log out screen but they don’t have oracle fnd users so they want gatekeeper screen to come so that they can log in again.

Proposed solution- they want an alert message to come on Oracle timeout screen by which they can go to Gate keeper screen.

Can anyone please suggest me how to implement the same. I am very new to OAF so doesn’t know anything on the same.

Any help will be highly appreciated.

Thanks & regards,
Amit Garg

Reply
rajan says March 17, 2009

Atul,

FYI ssogito.sql doesn’t work with R12.

It is presently tracked by bug Bug.6868527/6151697 (15) CERTIFICATION OF SSO GLOBAL INACTIVITY TIMEOUT (GITO) WITH RELEASE 12:

Bug.6151697/5238327 (15) NEED SSO MECHANISM TO TIMEOUT EBIS PARTNER APPS WITHOUT TIMING OUT OTHER REGISTERED PARTNER APPS

Global User Inactivity Timeout will work with MOD_OSSO based partner applications ONLY. Oracle E-Business Suite Release 11i uses an pre-packaged SSOSDK approach and NOT the MOD_OSSO. However, Oracle E-Business Suite Release 12 is an MOD_OSSO based partner Apps.

SSO Global Inactivity time-out (GITO) also has a known restriction that it does not work automatically for dynamically protected pages, as all pages are on R12 which is dynamically protected , unless each page check for expiration. Hence, there still needs to be a relative Apps code to consume this SSO timeout.

Thanks
Rajan

Reply
Sridhar1985 says April 29, 2009

Hi Atul,

My developers did one hibernate application. For that we need to set DB session time out. For this what i have to do? Please help me out. This is very urgent for me.

Thanks in Advance
Sridhar

Reply
oim_user says February 25, 2011

Hi
How can I change time out for Oracle Identity Manager Administrative and User Console

Reply
srini says February 21, 2012

Hi,

I need to find how to Enable Auditing for Users through backend select & update query i required.if possible could you pls give me reply.

Thanks in advance…

Reply
Pierre says April 1, 2013

Hi Amit

Did you find a solution to your problem? I am facing the same challenge . When the session is timedout, I am getting the standard HRMS screen and not the SSO one

Regards
Pierre

Reply
    Atul Kumar says April 1, 2013

    What is IDLE session timeout for SSO server and application ? Keep both same or keep Idle Session for SSO slightly lower than set in business application.

    Reply
Add Your Reply

Not found