Federation session expiry control in Siteminder SAML partnership setup
search cancel

Federation session expiry control in Siteminder SAML partnership setup

book

Article ID: 41717

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On CA Single Sign On Federation (SiteMinder) SITEMINDER

Issue/Introduction

 

This article Provides details on the user sessions created in the Session Store for the Federated Transactions.

Note : CA Directory is used as the Session Store.

Having Siteminder set to behave as Service Provider (SP). Upon consumption of the assertion, the session is created in the Session Store.

With a Partnership Federation, which component controls the Idle and Max timeout session values in the Session Store and how it can be adjusted ?

Environment

 

Policy Server all versions

 

Resolution

 

On the Service Provider (SP) side, for legacy Federation ,the TARGET resource used to be protected by the SAML authentication scheme which is tied to a Realm, and a User Session is created upon consumption of the Assertion with the Session Idle and Max timeout dictated by the Realm "Maximum Timeout" and "Idle Timeout" protecting the target Resource.

For the Partnership Federation, the Target hasn't needed to be protected.

The "Idle Timeout" and "Maximum Timeout" of the session are controlled from the Partnership itself under the "Target Application" Tab.

By default, the "Idle Timeout" is set to 1 hour while the "Maximum Timeout" is set to 2.

Below are 2 test samples to illustrate the process :

1. Test 1 (Default Settings) --> performed at 10:53 AM Eastern

   1) After consumption of the assertion, the Objects are created in the Session Store 5:ExpType where the smExpirationTime was set to 20160406165333Z (which is the Zulu time format). Converted to Eastern Time, time is 12:53 PM which is 2 hours difference.

   2) For the Session object created for the same, the below can be seen :

      smIdleExpirationTime 2016 04 06 155333Z --> 11:53 AM --> 1 hour Difference 
      smExpirationTime 2016 04 06 165333Z --> 12:53 NOON --> 2 hours Difference 

In summary, the Idle Timeout is 1 hour and the Maximum Timeout is 2 hours.

The below "Idle Timeout" and "Maximum Timeout" are controlled from the Partnership itself.

To Edit the above, please follow the below steps 

  1) Edit the SP partnership;
  2) Modify the partnership and go to the "Target Application" Tab;
  3) Under the "Target Application" Tab, the "Idle Timeout" and  "Maximum Timeout" which is set by Default to 1 and 2 hours  respectively;
  4) Edit these Values to the desired setting and save / Activate the
     partnership;

2. Test 2 --> Edited Partnership and set the Idle timeout to 8 hours and Maximum Timeout to 12 hours ,cleaned the Session store and generated a FED transaction)

   Test was Performed at 11:28 AM 

   cn <encrypted_cn_value>

   objectClass top
   smExpiryVariable
   smExpirationTime 20160407032820Z --> 11:28 PM which is 12 hours as Expected from the Maximum Timeout 
   smSearchData <IdP_Name>
   smVariableName <IdP_Name>:<encrypted_value>
   smVariableValue <encrypted_value>

   smVarType 5

   ------------------------------

   objectClass top
   smSession
   smExpirationTime 20160407032821Z --> 11:28 PM which is 12 hours as Expected from the Maximum Timeout 
   smIdleExpirationTime 20160406232821Z --> 7:28 PM which is 8 hours as Expected from the Idle Timeout 
   smLastAccessTime 20160406152821Z --> 11:28 AM --> this is the Time when the test was performed
   smMaxIdleTime 28800
   smSessionBlob <session_blob_value>
   smSessionStatus 0

 

Powered by Wolken Software