ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Correctly Configuring Realm Timeouts for SMSESSION on WebAgent


Article ID: 51079


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER CA Single Sign On Agents (SiteMinder)



User session timeouts are governed by the realm that the user first
logs into. If a user enters a new realm through single sign-on, the
timeout values for the new realm are still governed by the session
that was established by the initial login at the first realm.







Enforce Realm Timeouts

For enforcing realm timeouts at the realm level the following three
steps need to be taken:


Set the EnforceRealmTimeouts agent configuration object (ACO)
parameter to yes for the agent that is protecting that particular

Set the IdleSessionTimeout for that particular realm at the realm
level. This can be done by going to the realm properties for that
realm, enabling Idle Timeout and setting the numerical value. This
value can be set in hours and minutes.

Create a WebAgent-OnAuthAcceptSession-Idle-Timeout response and set
its value in seconds to the desired idle session timeout for that
realm. Tie this response with an OnAuthAccept rule under that realm
and include the OnAuthAccept rule and
WebAgent-OnAuthAcceptSession-Idle-Timeout response in a policy
governing that domain.

In the example below the IdleSession has been set to 120 seconds for
realm /dummy/

When a user successfully logs into the dummy realm we can see an entry
in the smaccess.log showing the idle session timeout for this realm:

smaccess log entries show the idletimeout set to 120

  AuthAccept www2 [08/May/2009:13:56:40 -0500] " uid=testuser,ou=People," 
  " GET/dummy/hello.html" [idletime=120;maxtime=0;authlevel=5;] [0]
  ValidateAccept www2 [08/May/2009:13:56:40 -0500] " uid=testuser,ou=People," 
  " GET/dummy/hello.html" [idletime=120;maxtime=0;authlevel=5;] [0]
  AzAccept www2 [08/May/2009:13:56:40 -0500] " uid=testuser,ou=People," 
  " GET/dummy/hello.html" [8157a8c0-01f4-4a047256-0c40-010908cc] [0]

After 120 seconds when the user tries to access the same resource
again in the same browser window a timeout message is thrown in the
webagent trace and the user is redirected to the authentication scheme
login page:

  [SMSESSION cookie has expired and will not be used to authenticate.]           
  [Redirecting for credentials '

In the corresponding HTTP headers for this transaction after user gets
timed out we can see that the SMSESSION cookie gets set to LOGGEDOFF

  GET /siteminderagent/forms/login.fcc?TYPE=33554433&REALMOID=06-882687cf-0ba0-4d49-a332-8fc2db8b2653&GUID=
  TARGET=-SM-http%3a%2f%2fmyloginserver%2emydomain%2ecom%2fdummy%2fhello%2ehtml HTTP/1.1         
  Accept: */*       
  Accept-Language: en-us       
  UA-CPU: x86       
  Accept-Encoding: gzip, deflate       
  If-Modified-Since: Fri, 24 Apr 2009 16:57:33 GMT       
  If-None-Match: "3441c6c2fdc4c91:8ad"
  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727) 
  Connection: Keep-Alive       

Thus, the EnforceRealmTimeouts was correctly enforced at the realm