This is a very important item when you deploy your IDM system in real time. Let us assume there is a WebServer in DMZ zone you will see a firewall between WebGate installed on WebServer and the Access server which will be in the Application Zone.
When you create a WebGate profile, a parameter Maximum Client Session Time (hours) will have a default value of 24 hours. The parameter specifies how long the connection between a WebGate and an Access Server can last. As obvious, longer value specified, more vulnerable the system is for attack.
Mostly the firewall timeout will be less than or equal to 1 hour (could be client specific as well) which means that all application sessions that that are traversing through this firewall will be dropped after 1 hour.
To be on a safer side, it is good to close the connections by applications itself rather than firewall dropping it.
In case of WebGate to Access Server connection, we can have a User Defined parameter in WebGate profile that allows you to specify Timeout in minutes as shown below.
In this case, when we assume firewall timeout is 60 minutes, then we can close WebGate to Access Server connections in less than 60 minutes as shown below.
On similar lines, other sessions such as LDAP to DB has to be closed before Firewall drops it.
I am engulfed in Oracle Identity & Access Management domain. I have expertise on providing the optimized solutions for user provisioning, web access management, Single Sign-On and federation capabilities etc., I am also well versed with complex integrations within Identity Management and other product domains. I have expertise on building demos and implementation experience on products Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlement Server, Oracle Virtual Directory, Oracle Internet Directory etc., Look @ my blog: http://talkidentity.blogspot.com