Grid Principals and Sessions
When a user has been authenticated, a grid principal and a session are created for that user. The grid principal is the grid’s logical representation of a user and the accompanying information, such as roles. The grid and its applications can query the grid principal for role membership to make authorization decisions.
A grid session or more correctly, a grid session identifier, is what a client uses to refer to a grid principal. The session identifier lives on the client, and the grid session, with its associated grid principal, is handled by the grid. When a client needs to access a proxy interface, it sends the session ID along with the proxy call. The grid can then validate the call using the associated grid principal.
A grid session times out after a pre-configured amount of inactive time. The default value is 60 minutes, but this can be changed by editing the grid security property "Default Session Timeout". When a session either times out or is explicitly deleted, any client trying to refer to that session receives an exception back. It is up to the client to deal with that exception in a suitable manner.
Certificate-based Authentication
When using a trusted client (any client connecting with SSL--see illustration in ION Grid security overview), there is no need for session identifiers to be propagated. In that case, the grid principal is intrinsic to the connection between the client and the grid and can be directly queried on the server side. Note that in this case no session is created and, therefore, there is no session timeout. The authentication is valid as long as the SSL connection stays open.
Active Sessions
All current sessions can be viewed from the Grid Management Pages, by selecting Advanced > Sessions. For each session, the principal, its roles, the origin of the call that established the session, and its remaining life are listed. It is also possible to delete sessions prematurely. Only users with the grid-admin role are allowed to view the contents.
Grid Principal Name for various Session Providers
After a successful logon, a grid principal is created to store information about the user session. The session ID is a reference to the session and this session contains the grid principal. One of the most commonly used grid principal attributes is the name of the user.
The name is created differently depending on which session provider is in use. This is important because the name is also used in grid role mappings; see Defining role mappings. Some session providers truncate the username used for logon, for example removing domain information.
This table shows how the name of the grid principal is created for the different session providers:
| Session provider | Description |
|---|---|
| Windows Session Provider |
The name of the grid principal is the truncated username. If a user logs on with mydomain\user the name of the grid principal will be "user". If a user logs on with user.name@mydomain.com the name of the grid principal will be "user.name". |
| SAML Session Provider |
The name of the grid principal is retrieved from one of the claims included in the returned SAML token from the IdP. To configure which claim should be used as the name of the grid principal, you can set the "sp.identity.claim.name" property for the SAML Session Provider. This property is normally set during installation. For installations performed with the "Standard M3" LCM installation profile, the default claim value is For other on-premise installations, the default claim value is |
| LDAP Session Provider | The name of the grid principal is set to the username used for logon. The name is set to the correct character case according to the LDAP server. |