Extend IdleTimeout and MaxTimeout when Identity Mapping is in use.
Article ID: 422466
Updated On:
Products
Issue/Introduction
User is Authenticated to a realm which has the idletime=3600;maxtime=7200
Same User navigate to another realm with different timeout setting idletime=7200;maxtime=14400, the log shows the idletimeout and/or MaxTimeout doesn't be extended based on the realm currently accessing.
When try to use "WebAgent-OnAuthAccept-Session-Max-Timeout" rule to change the timeout, for example,
Create a changetimeout response using "WebAgent-OnAuthAccept-Session-Idle-Timeout" and/or "WebAgent-OnAuthAccept-Session-Max-Timeout" and associate the response to OnAuthAccept rule for that realm in the Policy settings.
This is working when there is no ID Mapping, but it's not working when Identity Mapping is in use.
Environment
siteminder policy server 12.8 SP8 on RHEL7.
Resolution
Engineering identified the problem.
When you have Identity Mapping configured in a realm, you also need to configure the Auth-Validate mapping on that same realm as well.
For example, there is "AuthDir - ID Mapping" for authentication and "AuthorizationDir - ID Mapping" for authorization.
Then the "ID Mapping" is configured as below.
It is "Auth-Az" mapping.
And the mapping is associated to the Realm.
And configure OnAuthAccept rule + change timeout response as above.
Engineering analysed and informed that the OnAuthAccept+Response did not trigger because the Policy is checking the Authentication Directory's OID and compare it with the Authorization Directory's OID and if they match then the policy takes action thus the OnAuthAccept+Response gets triggered.
But in this case because there is an "ID Mapping" so the Authentication Directory's OID and the Authorization Directory's OID do not match.
Engineering instructed the following additional configuration which is to create "Validation Identity Mapping" as well and associate it in the same Realm.
Now add the "Auth-Validate_id_mapping" to the same Realm configuration.
This ensures the Authentication Directory's OID and the Authorization Directory's OID to match so the OnAuthAccept+Response did get triggered which updated the MaxTimeout.
Feedback
