search cancel

Understanding the Realm idle timeout enforcement applied at login

book

Article ID: 15410

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER CA Single Sign On Agents (SiteMinder)

Issue/Introduction

 

The default value for EnforceRealmTimeouts is NO as per documentation
(1).

In the login domain, where the session cookie is getting generated,
the realm is defined with an idle timeout of 1 hour, and an
application realm has 2 hours instead. There's no EnforceRealmTimeouts
parameter specified neither in login domain Web Agent or application
Web Agent, however the behavior seen is the idle timeout is being
overwritten by the application agent.

 

Environment

 

Policy Server all versions
Web Agent R12.52 SP1 CR06

 

Resolution

 

Even if the login server has (and applied) its own idle timeout, it is
the first realm where the user logs in the one which is managing the
idle timeout as per documentation (2).

Actually, the user's journey doesn't start in the login page Web
Agent, but in the application Web Agent. When the user goes to the
application, the login process is triggered as user hasn't an active
session, and it's redirected to the login page (on the login Web
Agent), and the session cookie is generated. Hence, when the user has
successfully logged is returned back to the application Web Agent
which validates the session, and then applies the Idle timeout value
for its realm as per the document above.

 

Additional Information

 

(1)

    List of Agent Configuration Parameters

 | Parameter Name       | Default | Usage                            |
 |----------------------+---------+----------------------------------|
 | EnforceRealmTimeouts | No      | If set, the agent uses WebAgent- |
 |                      |         | OnAuthAccept-Session-Max-        |
 |                      |         | Timeout and WebAgent-            |
 |                      |         | OnAuthAccept-Session-Idle-       |
 |                      |         | Timeout tied to an OnAuthAccept  |
 |                      |         | rule to have the realm timeouts  |
 |                      |         | change by realm. See How to      |
 |                      |         | Enforce Timeouts across Multiple |
 |                      |         | Realms                           |

    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-52-01/configuring/web-agent-configuration/list-of-agent-configuration-parameters.html    

(2)

    Enforce Timeouts across Multiple Realms

      User session timeouts are governed by the realm that the user first
      logs into. If a user enters a new realm through CA Single
      Sign-OnUser session timeouts are governed by the realm that the user
      first logs into. If a user enters a new realm through CA Single
      Sign-On, the time-out values for the new realm are still governed by
      the session that was established by the initial login at the first
      realm. If you have different time-out values for different realms,
      and you want to have each realm use its own time-out values, you can
      override the time-outs of the original realm.

    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-52-01/configuring/web-agent-configuration/session-protection/enforce-timeouts-across-multiple-realms.html