search cancel

Federation session expiry control in Siteminder SAML partnership setup

book

Article ID: 41717

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On CA Single Sign On Federation (SiteMinder) SITEMINDER

Issue/Introduction

 

This article Provides details on the user sessions created in the
Session Store for the Federated Transactions.

Note : CA Directory is used as the Session Store.

Having Siteminder set to behave as Service Provider (SP). Upon
consumption of the assertion, the session is created in the
Session Store.

With a Partnership Federation, which component controls the Idle and
Max timeout session values in the Session Store and how it can be
adjusted ?

Environment

 

Policy Server all versions

 

Resolution

 

On the Service Provider (SP) side, for legacy Federation ,the TARGET
resource used to be protected by the SAML authentication scheme which
is tied to a Realm, and a User Session is created upon consumption
of the Assertion with the Session Idle and Max timeout dictated by the
Realm "Maximum Timeout" and "Idle Timeout" protecteing the target
Resource.

For the Partnership Federation, the Target hasn't needed to be
protected.

The "Idle Timeout" and "Maximum Timeout" of the session are controlled
from the Partnership itself under the "Target Application" Tab.

By default, the "Idle Timeout" is set to 1 hour while the "Maximum
Timeout" is set to 2.

Below are 2 test samples to illustrate the process :

1. Test 1 (Default Settings) --> performed at 10:53 AM Eastern

   1) After consumption of the assertion, the Objects are created in
      the Session Store 5:ExpType where the smExpirationTime was set
      to 20160406165333Z (which is the Zulu time format). Converted to
      Eastern Time, time is 12:53 PM which is 2 hours difference.

   2) For the Session object created for the same, the below can be
      seen :

      smIdleExpirationTime 2016 04 06 155333Z --> 11:53 AM --> 1 hour Difference 
      smExpirationTime 2016 04 06 165333Z --> 12:53 NOON --> 2 hours Difference 

In summary, the Idle Timeout is 1 hour and the Maximum Timeout is 2
hours.

The below "Idle Timeout" and "Maximum Timeout" are controlled from the
Partnership itself.

To Edit the above, please follow the below steps 

  1) Edit the SP partnership;
  2) Modify the partnership and go to the "Target Application" Tab;
  3) Under the "Target Application" Tab, the "Idle Timeout" and
     "Maximum Timeout" which is set by Default to 1 and 2 hours
     respectively;
  4) Edit these Values to the desired setting and save / Activate the
     partnership;

2. Test 2 --> Edited Partnership and set the Idle timeout to 8 hours
   and Maximum Timeout to 12 hours ,cleaned the Session store and
   generated a FED transaction)

   Test was Performed at 11:28 AM 

   cn PZYX0m0buc5iKpNcKErVoM6kc452eHkW6yjB5PbyLyc=

   objectClass top
   smExpiryVariable
   smExpirationTime 20160407032820Z --> 11:28 PM which is 12 hours as Expected from the Maximum Timeout 
   smSearchData Robm:IDP_ID
   smVariableName Robm:IDP_ID:lmdDrI/OsS6UEEmgk/3eCLwxtgI=bmR8og==
   smVariableValue 0VRl3BMX7EgB3PVRLm0DKqvoI/w=

   smVarType 5

   ------------------------------

   objectClass top
   smSession
   smExpirationTime 20160407032821Z --> 11:28 PM which is 12 hours as Expected from the Maximum Timeout 
   smIdleExpirationTime 20160406232821Z --> 7:28 PM which is 8 hours as Expected from the Idle Timeout 
   smLastAccessTime 20160406152821Z --> 11:28 AM --> this is the Time when the test was performed
   smMaxIdleTime 28800
   smSessionBlob TTdtzERAXuQaopPt58+FljbwFcGoeZ8VPtJm2AvRx+SeBRjm0ehCKprJnwaHCoeidu70ygshbS35zNvTfjfIku2U9iKb/5rfsw6NNHvBrI+JVyzPYr2JkY+MN86Kd/VnzMLIWMKcipgFCxy2o/qnIlosqgA3H9MxzCiRI6kAgJHzaEjoDgyStAEHhVGKDXec8Nhb8WMtNFKIjNL3rWQPH3GWcM+VlG3B48BmkOvKFUFX8iEiMnaKxZWvR/6XfwwKyLpubA2BvPCZ4gqddgD3HDZYM3BuA7gIcr/Ts9I/Q0saOzNOdkX0FKkXytPcO12d5rXlEgikqfj8Aphk1jdzWnN5OisHIKoLaxqstki5jES8p2zBiaNa2IJFIv6az88t
   smSessionId 0VRl3BMX7EgB3PVRLm0DKqvoI/w=
   smSessionStatus 0