SessionNotOnOrAfter parameter Causing Timeout on SP

book

Article ID: 39475

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

- Siteminder behaving as IDP with SP as a third party 

- Assertion is getting generated by Siteminder with SessionNotOnOrAfter parameter included

- SP consuming the assertion containing the SessionNotOnOrAfter parameter which is causing the SP to terminate the session after 1.5 min (90 seconds)

How can SessionNotOnOrAfter be turned off or modified?

 

Cause



By default "Use Assertion Validity" is used.
This would result in "SSO Validity Duration" + "Skew Time" being the SP Session Duration.
In the above sample, "SSO Validity Duration" was 60 seconds and "Skew Time" was 30 seconds.
This would result in 90 seconds being the SP Session Duration. 
So if the SP is enforcing this as the session validity then the user session would terminate after 90 seconds.

Sample smtracedefault.log snippet.

[05/28/2020][01:29:02][5440][2544f6ad-da7bdd17-c40e4869-9f0de9c9-5ad579a6-1d8][AuthnRequestProtocol.java][generateAuthnStatement][][][][][][][][SessionNotOnOrAfter type is: 0]
[05/28/2020][01:29:02][5440][2544f6ad-da7bdd17-c40e4869-9f0de9c9-5ad579a6-1d8][AuthnRequestProtocol.java][generateAuthnStatement][][][][][][][][Value of SessionNotOnOrAfter :90]

        <ns2:AuthnStatement AuthnInstant="2020-05-28T01:29:01Z" SessionIndex="85YTHmDiFkiGy62OOIMC8mnpUv0=2c3uOA==" SessionNotOnOrAfter="2020-05-28T01:30:32Z">
            <ns2:AuthnContext>
                <ns2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</ns2:AuthnContextClassRef>
            </ns2:AuthnContext>
        </ns2:AuthnStatement>



If IDP Session Timeout is set, then this can introduce inconsistent session validity at the SP depending on which realm the user was authenticated at the IDP.
If user did not have an existing session so the browser was redirected to /siteminderagent/redirectjsp/redirect.jsp Realm for authentication then this realm's Max Timeout would be used for the SessionNotOnOrAfter.
For example, if this realm had 2 hours Max Timeout then SessionNotOnOrAfter would be 2 hours in seconds.
But if the user had an existing session at the IDP from another realm where the Max Timeout was 8 hours then SessionNotOnOrAfter would have 8 hours (plus Skew Time) in seconds.

[05/28/2020][01:49:05][3028][1841152c-c65b9f5c-c04bc670-7b0adbae-f3b919bd-2e9][AuthnRequestProtocol.java][generateAuthnStatement][][][][][][][][SessionNotOnOrAfter type is: 2]
[05/28/2020][01:49:05][3028][1841152c-c65b9f5c-c04bc670-7b0adbae-f3b919bd-2e9][AuthnRequestProtocol.java][getMaxTimeout][][][][][][][][Use Force Authn Session Timeouts is: false]
[05/28/2020][01:49:05][3028][1841152c-c65b9f5c-c04bc670-7b0adbae-f3b919bd-2e9][AuthnRequestProtocol.java][generateAuthnStatement][][][][][][][][Value of SessionNotOnOrAfter :7230]

        <ns2:AuthnStatement AuthnInstant="2020-05-28T01:48:59Z" SessionIndex="AIEh+jQ2NKNewUTBKCB+J97Lu4E=NIePyw==" SessionNotOnOrAfter="2020-05-28T03:49:33Z">
            <ns2:AuthnContext>
                <ns2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</ns2:AuthnContextClassRef>
            </ns2:AuthnContext>
        </ns2:AuthnStatement>


If Custom is set, SiteMinder will simply add that as the SessionNotOnOrAfter value (plus Skew Time) in seconds.

[05/28/2020][01:59:46][2340][3e77e681-551e4ddb-99426fad-f52bbf05-80e47b8c-27][AuthnRequestProtocol.java][generateAuthnStatement][][][][][][][][SessionNotOnOrAfter type is: 3]
[05/28/2020][01:59:46][2340][3e77e681-551e4ddb-99426fad-f52bbf05-80e47b8c-27][AuthnRequestProtocol.java][generateAuthnStatement][][][][][][][][Value of SessionNotOnOrAfter :36030]

        <ns2:AuthnStatement AuthnInstant="2020-05-28T01:59:46Z" SessionIndex="jwaWVZES/iYP2QfHR+XX8vntJho=bd9jdw==" SessionNotOnOrAfter="2020-05-28T12:00:16Z">
            <ns2:AuthnContext>
                <ns2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</ns2:AuthnContextClassRef>
            </ns2:AuthnContext>
        </ns2:AuthnStatement>

Environment

Release: Policy server version -->12.5 CR02 and later (including R12.8SP3)
Component: SMFED

Resolution

When the Policy Server IdP sends an assertion, by default it includes the SessionNotOnOrAfter parameter in the Authentication statement of the assertion. A third-party SP can use the value of the SessionNotOnOrAfter to set its own timeout values. The timeout values determine when a user session becomes invalid, which sends the user to reauthenticate at the IdP.

The SessionNotOnOrAfter parameter is NOT to be confused with the NotOnOrAfter parameter used to determine assertion validity and skew time.

To customize the SessionNotOnOrAfter parameter

  1.  Log on to the UI.
  2. Select the Service Provider entry that you want to modify.
  3. Navigate to the Advanced tab.
  4. Select the Customize Validity duration in the Advanced SSO Configuration section of the dialog.The Customize Validity duration dialog displays.
  5. Select a value for the SP Session Validity Duration. The value that you enter is the value of the SessionNotOnOrAfter parameter in the assertion.

   The options are:

  • Use Assertion Validity --> Calculates the SessionNotOnOrAfter value that is based on the assertion validity duration.
  • Omit --> Instructs the IdP not to include the SessionNotOnOrAfter parameter in the assertion. (Turn off)
  • IDP Session --> Calculates the SessionNotOnOrAfter value that is based on the IdP session timeout. The timeout is configured in the IdP realm for the authentication URL. Using this option can synchronize the IdP and SP session timeout values.
  • Custom --> Lets you specify a custom value for the SessionNotOnOrAfter parameter in the assertion. If you select this option, enter a time in the Customize Assertion Session Duration field

     6. Click OK to save the changes.



Attachments