MyTechReference - Technical Notes


by IDAMGroup

CA Siteminder Session timeout

How to Configure Session timeout in CA Siteminder r12.51

Siteminder maintains the user session information, to secure the user session Policy Server has the timeout value to recycle the session information

  • Maximum Timeout
  • Idle Timeout

 

session_timeout

Maximum Timeout
The maximum amount of time a user session can be active before the agent challenges the user to re-authenticate.
By default it is set for 2 hours
To specify no maximum session length, clear the checkbox.
Note: To use this feature with the Basic authentication scheme, your Web Agent must be configured to Require Cookies. 
Idle Timeout
The amount of time that an authorized user session can remain inactive before the agent terminates the session. If you are concerned about users leaving their workstations after accessing a protected resource, set the idle timeout to a shorter period of time. If the session times out, users must re-authenticate before accessing the resources in the realm.
By default it is set for 1 hour. To specify no session idle timeout, clear the check box.
Non-Persistent
A non–persistent cookie is one that is maintained only in the memory of the web browser.
Persistent
User sessions are tracked in the session store and optional cookies. If you select this option, the Idle Timeout Enabled option must be set.
You can specify a validation period as well
mytechref_313

Redirection URL after the time out.

You can actually redirect users to different page once the Timeout occurs. It is configured in the Agent Configuration Object.

Create and place the desired page in the doc root of the webserver and configure the ACO

MaxTimeoutURL 

To redirect when MaxTimeout happens  enable the MaxTimeoutURL parameter in ACO

Agent–> Agent Configuration Objects –>WebOne_ACO
Enable the MaxTimeoutURL parameter and add the redirect link.

mytechref_200

IdleTimeoutURL 

To redirect when IdleTimeout happens  enable the IdleTimeoutURL parameter in ACO

Agent–> Agent Configuration Objects –>WebOne_ACO

Enable the MaxTimeoutURL parameter and add the redirect link

session_timeout

Enforce Timeouts across Multiple Realms

In a Single Sign On environment you can override the time-outs of the original realm

Example :

If a user enters a new WebsiteA realm from WebsiteB through single sign-on, the time-out values for the WebsiteA realm are still governed by the session that was established by the initial login at the WebsiteB realm. If you have different time-out values for different realms, and you want to have each realm use its own time-out values, you can override the time-outs of the original realm by configuring value of the EnforceRealmTimeouts parameter to yes.

Here is the steps to  Enforce timeouts across multiple Realms

1. Enable EnforceRealmTimeouts parameter

Agent–>Agent Configuration Objects –>WebOne_ACO

mytechref_207

2. Create Response

To override the Maximum Timeout value,

Create a response using the WebAgent-OnAuthAccept-Session-Max-Timeout response attribute.

To override the Idle Timeout value,

Create a response using the WebAgent-OnAuthAccept-Session-Idle-Timeout response attribute.

Policies –> Domain –> Responses

mytechref_316

Select a Domain

mytechref_317

 Click Create Response

mytechref_319

 

Set the Attribute  WebAgent-OnAuthAccept-Session-Max-Timeout to Yes

mytechref_323

 And set WebAgent-OnAuthAccept-Session-Idle-Timeout to Yes

mytechref_321

 Select the created response to the domain

mytechref_325

Click Submit

3. Add response to Realm

 Add the response to the realm where you want to supersede the original time-outs

mytechref_327

 

mytechref_328

 

mytechref_330

 Click Submit to save the changes

 

Testing

Now when you login to  WebsiteB and SSO to WebsiteA  the SiteA realm timeout will overwrite WebsiteB time-out value.

From the webagent log show you when you switch from WebsiteB to WebsiteA it applies Enforce timeout value

Webagent Logs

[03/06/2014][22:47:41][7698][1281976080][CSmLowLevelAgent.cpp:1105][AuthenticateUser][00000000000000000000000059670a0a-1e12-5319415d-4c696710-10cd64a90344][10.10.13.15][][webone_agent][/favicon.ico][kmith][Enforcing realm timeouts.]

And when Timeout occurs

[03/06/2014][22:48:55][7683][3627890432][LLAWorkerProcess.cpp:1830][main][][][][][][][Received DoManagement CACHE_FLUSH_THIS_REALM command for realm '06-c6e6def6-cbf1-4d2f-8ded-e7f967c2826c'.]
[03/06/2014][22:49:03][7683][3523172112][LLAWPMsgBus.cpp:259][ProcessMessage][][][][][][][Delivering response to Manage query received from client '7699.1399473936']
[03/06/2014][22:49:03][7683][3523172112][LLAWPMsgBus.cpp:259][ProcessMessage][][][][][][][Delivering response to Manage query received from client '7790.1214834448']
[03/06/2014][22:49:04][7683][3523172112][LLAWPMsgBus.cpp:259][ProcessMessage][][][][][][][Delivering response to Manage query received from client '7697.1407866640']
[03/06/2014][22:49:09][7683][3523172112][LLAWPMsgBus.cpp:259][ProcessMessage][][][][][][][Delivering response to Manage query received from client '7698.1240012560']

---------------------------------------------------------------------------------------------------------------------------------------------

Disclaimer: Content posted here worked for me and may not guarantee success, should be used as reference only and please use it cautiously.