Correctly Configuring Realm Timeouts for SMSESSION on WebAgent
search cancel

Correctly Configuring Realm Timeouts for SMSESSION on WebAgent

book

Article ID: 51079

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER CA Single Sign On Agents (SiteMinder)

Issue/Introduction

 

User session timeouts are governed by the realm that the user first logs into. If a user enters a new realm through a single sign-on, the timeout values for the new realm are still governed by the session established by the initial login at the first realm. 

 

Environment

 

 

Resolution

 

Enforce Realm Timeouts

For enforcing realm timeouts at the realm level the following three steps need to be taken:

===================================================================

Set the EnforceRealmTimeouts agent configuration object (ACO) parameter to yes for the agent that is protecting that particular realm (1).

Set the IdleSessionTimeout for that particular realm at the realm level. This can be done by going to the realm properties for that realm, enabling Idle Timeout, and setting the numerical value. This value can be set in hours and minutes.

Create a WebAgent-OnAuthAcceptSession-Idle-Timeout response and set its value in seconds to the desired idle session timeout for that realm. Tie this response with an OnAuthAccept rule under that realm and include the OnAuthAccept rule and WebAgent-OnAuthAcceptSession-Idle-Timeout response in a policy governing that domain.

In the example below the IdleSession has been set to 120 seconds for realm /dummy/.

When a user successfully logs into the dummy realm, the smaccess.log shows the idle session timeout for this realm:

smaccess log entries show the idle timeout set to 120
----------------------------------------------------

  AuthAccept www2 [08/May/2009:13:56:40 -0500] "10.0.0.1 uid=testuser,ou=People, o=mydomain.com" 
  "myserver.example.com GET/dummy/hello.html" [idletime=120;maxtime=0;authlevel=5;] [0]
  
  ValidateAccept www2 [08/May/2009:13:56:40 -0500] "10.0.0.1 uid=testuser,ou=People, o=mydomain.com" 
  "myserver.example.com GET/dummy/hello.html" [idletime=120;maxtime=0;authlevel=5;] [0]
  
  AzAccept www2 [08/May/2009:13:56:40 -0500] "10.0.0.1 uid=testuser,ou=People, o=mydomain.com" 
  "myserver.example.com GET/dummy/hello.html" [8157a8c0-01f4-4a047256-0c40-010908cc] [0]

After 120 seconds when the user tries to access the same resource again in the same browser window a timeout message is thrown in the Web Agent trace and the user is redirected to the authentication scheme login page:

  [05/08/2009][13:59:11][500][3136][8157a8c0-01f4-4a0472ef-0c40-00cb1dff][CSmHttpPlugin::ProcessSessionCookie]
  [SMSESSION cookie has expired and will not be used to authenticate.]           
      
  [...]
  
  [05/08/2009][13:59:11][500][3136][8157a8c0-01f4-4a0472ef-0c40-00cb1dff][HandleCredCollectorChallenge]
  [Redirecting for credentials 'http://myloginserver.example.com:8181/siteminderagent/forms/login.fcc?TYPE=33554433&REALMOID=06-882687cf-0ba0-4d49-a332-8fc2db8b2653&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-7HjqXMxdZMsmzmQMvT4yRw7ijviUPAE4TDXi3cSIF4B%2byOLAdO1ByRj6FqLANmAQ&TARGET=-SM-http%3a%2f%2fmyloginserver%2example%2ecom%2fdummy%2fhello%2ehtml'.]
  

In the corresponding HTTP headers for this transaction after user gets timed out, the SMSESSION cookie gets set to LOGGEDOFF:

  GET /siteminderagent/forms/login.fcc?TYPE=33554433&REALMOID=06-882687cf-0ba0-4d49-a332-8fc2db8b2653&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-7HjqXMxdZMsmzmQM........&TARGET=-SM-http%3a%2f%2fmyloginserver%2eexample%2ecom%2fdummy%2fhello%2ehtml HTTP/1.1         

  Accept: */*       
  Referer: http://myloginserver.example.com:8181/siteminderagent/forms/login.fcc?TYPE=33554433&REALMOID=06-882687cf-0ba0-4d49-a332-8fc2db8b2653&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-7HjqXMxdZMsmzm........mAQ&TARGET=-SM-http%3a%2f%2fmyloginserver%2eexample%2ecom%2fdummy%2fhello%2ehtml         
  Accept-Language: en-us       
  UA-CPU: x86       
  Accept-Encoding: gzip, deflate       
  If-Modified-Since: Fri, 24 Apr 1776 16:57:33 GMT       
  If-None-Match: "3441c******4c91:8ad"
  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727) 
  Cookie: SMSESSION=LOGGEDOFF 
  Connection: Keep-Alive       
  Host: myloginserver.mydomain.com:8181

Having configured the EnforceRealmTimeouts, if the browser then goes to another realm, the timeout and idle timeout of the other realm will be respected and the session will still be valid if the timeout and idle timeout of this other realm is greater than the previous one.

 

Additional Information

Powered by Wolken Software