search cancel

Will siteminder keep both " SMSESSION " cookie and " OAUTH " tokens in sync when the user is on an OIDC compliant app?

book

Article ID: 258115

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Federation (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Secure Proxy Server (SiteMinder)

Issue/Introduction

Will siteminder keep both " SMSESSION " cookie and " OAUTH " tokens in sync when the user is on an OIDC compliant app?

------ Use Case Flow:

User logs into an OIDC compliant app.
Get a SMSESSION cookie (Expires in 20 mins) and Access (Expires in 5 mins), ID and refresh tokens (Expires in 2 hrs).
When a user is navigating within the app, the user will get new access tokens with a sliding expiry time.
This expiry time will go up to 2 hours, as set in the refresh token.

------ Questions:

At t=10 min, when the app refreshes access token, will the new SM session have a new expiry time, 20 mins from now i.e. expiring in 30th minute?
At t=50 min, when the SM cookie has expired, will SM continue to dish out new access tokens? Now the user navigates to an SM agent based application, will it fail. Users will be presented with a login page. Is that expected behavior?
After t = 2 hours, application requests a refresh token, will Siteminder respond with a null token? Or Siteminder redirects to a login page ?

Environment

Policy Server: 12.8.05 (Applicable to all the supported releases)

Resolution

  • SiteMinder Session Time out and OIDC token timeout (refresh token, access token and ID token) work separately in SiteMinder.

  • Regardless of SM session cookie timeout (idle time out or max timeout), the access token can be renewed as long as the refresh token is valid.

  • When SiteMinder cookie is expired and refresh token is valid, the user cannot access SiteMinder protected page.

  • SiteMinder cookie is not updated when the app get the access token via refresh token.(API call) 

https://api-broadcom-ca.wolkenservicedesk.com/attachment/get_attachment_content?uniqueFileId=dYfK20LEZLYVCQNoKfFD9Q==

  • When the refresh token is expired and request access token (API call), it generates 400 error message. It does not redirect into SiteMinder login page automatically. It is API call, not http 302 redirect.

  • https://api-broadcom-ca.wolkenservicedesk.com/attachment/get_attachment_content?uniqueFileId=pS73VM4pcn0pUVwzX173vQ==

  • When SiteMinder session is valid, and refresh token is expired, it can get the new ID token, refresh token and access token without re-authentication in SiteMinder.