General requirements for session management

Compliance with the eIAM requirements for session management are mandatory for applications that are operated within the networks of the Federal Administration!

Sessions between the user and the eIAM-Web PEP and between the eIAM-Web PEP and the application are necessary if the application carries a state.

The general requirements for session management are described below. For detailed requirements, see

Detailed technical requirements from the SAML 2.0 interface

SSO Session on PEP and Session in Application

It is important to distinguish between the SSO session on the eIAM Web PEP and the session in the individual applications.

When accessing an application directly (without eIAM), a session is created between the web browser and this application. However, as soon as the application is protected by an eIAM-Web PEP, an SSO session is created between the web browser and the eIAM-Web PEP. The web browser has only one SSO session, namely the one with the eIAM-Web PEP. This also applies when several applications behind the same eIAM-Web PEP are accessed by the same user. However, each of these applications has an independent session with the eIAM-Web PEP. All these sessions are bound to the same SSO session on the PEP and will be terminated when the SSO session is terminated on a user triggered logout or a session timeout detected by the eIAM-Web PEP.

Session Tracking

The session tracking of the application has to be done by session cookie. URL rewriting as a session tracking method is not supported by eIAM.

9th rule: The use of cookies for session tracking of the application is mandatory.

Single-Sign-On (SSO)

SSO stands for single sign-on and means that the end user only has to log on once and can then access all resources belonging to this SSO domain for a predefined time without having to log on again. If the user accesses the first application of an SSO domain, he must first log in (authenticate). If the user then accesses another application within the same SSO domain, there is no need to log in because an SSO session already exists on the PEP.
SSO domain
SSO domain


Put simply, an SSO domain includes all applications served by an eIAM-Web PEP that share the same session cookie. In other words, all applications behind an eIAM-Web PEP can form an SSO domain if they are accessible via the same FQDN or via multiple FQDNs, which can form a common cookie domain.

eIAM - Session Timings PEP and Application

The eIAM Web PEP is the master of all sessions. In general, the PEP should always close the sessions on the applications used. Therefore it is important that the sessions between the eIAM-Web PEP and the application have a longer lifetime than the sessions between the web browser and the eIAM-Web PEP (see table below).
Within one SSO session between the web browser and the PEP, multiple applications can be protected in the same SSO domain on the PEP. The point in time at which the individual applications are used by the user within the same SSO session on the PEP is variable. For example, application A may be used right at the beginning of the SSO session and then not for a long time, while application D is only used on the PEP towards the end of the maximum lifetime of the session. Accordingly, it is important that applications adjust their session duration and timeouts to the PEP.

Parameter                  Value                      Comment
eIAM-Web PEP Session-Lifetime 43200 sec (12 hours); absolute After this time the session will be invalidated in any case and the user has to log in again. All applications used by the PEP during the session are notified by logout URI so that they can close the session cleanly.
eIAM-Web PEP Inactivity Interval 7200 sec.(120 min.); absolute After this time, the session on the PEP is destroyed if inactivity is detected. The user must start a new session. With this value, the session also survives minor interruptions such as short meetings, breaks, etc. The inactivity interval on the applications must be longer.
Application Session Lifetime Variable: SessionNotOnOrAfter The maximum session lifetime of the application should be longer than that of the PEP. The application SHALL calculate the lifetime of its session using the value from the "SessionNotOnOrAfter" attribute in the "AuthnStatement" of the SAML assertion of the PEP.
Application Inactivity Interval Variable: SessionNotOnOrAfter The application's inactivity interval shall be long enough to allow the application to be used until the end of the SSO session on the PEP. The application SHOULD calculate the lifetime of its session using the value from the "SessionNotOnOrAfter" attribute in the "AuthnStatement" of the SAML assertion of the PEP. If the inactivity interval of the application is shorter, the application must establish a new security context with the PEP by issuing a new SAML 2.0 AuthnRequest to the PEP.

10th rule: Application timings shall be higher than those on the PEP. The PEP is the master over the sessions.