Agent for SharePoint doesn't seem to handle Session Assurance ticket

book

Article ID: 4618

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

When I run Agent for SharePoint, the Session Assurance
feature doesn't work:

I replay a session by copying the SMSESSION cookie from
Chrome to Firefox Browser, I get authenticated without having
to login again in SharePoint applications.
 

Cause

Device DNA Session Assurance is implemented in
SPS only at the moment.

As mentionned in the documentation :

The application that drives the DeviceDNA checks is hosted
on by the CA Access Gateway. This proxy server can perform
the standard functions, such as web proxy or SAML federation
functions or it can be a separate stand-alone instance that
is dedicated to servicing the Enhanced Session Assurance
transactions. The CA Access Gateway performance is also
dependent on a number of parameters such as, but not limited
to, authentication and authorization transactions per second,
the ratio of authentications to authorizations within the
environment, the length of user sessions, and the frequency
of revalidations.

https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/policy-server-configuration/enhanced-session-assurance-with-devicedna

The Agent for SharePoint handles more complex flow involving federation
and POST requests, and with SPS standalone, the integration of Session Assurance
with Agent for SharePoint goes out of support.

Environment

Policy Server 12.52SP2Agent for SharePoint 12.52SP1CR04SPS 12.52SP1CR05

Resolution

To get Session Assurance integrated in Agent for SharePoint, please open an
Idea on the Security page :

https://communities.ca.com/message/241729406

More, to help you increase session security, you might take a look at the SessionLinker
feature in the Agent for SharePoint :

https://docops.ca.com/ca-single-sign-on-agent-for-sharepoint/12-52-sp1/en/configuring/use-the-session-linker