ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Correctly Configuring Realm Timeouts for SMSESSION on WebAgent

book

Article ID: 51079

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER CA Single Sign On Agents (SiteMinder)

Issue/Introduction

 

User session timeouts are governed by the realm that the user first
logs into. If a user enters a new realm through single sign-on, the
timeout values for the new realm are still governed by the session
that was established by the initial login at the first realm.

 

Environment

 

 

Resolution

 

Enforce Realm Timeouts

For enforcing realm timeouts at the realm level the following three
steps need to be taken:

===================================================================

Set the EnforceRealmTimeouts agent configuration object (ACO)
parameter to yes for the agent that is protecting that particular
realm.

Set the IdleSessionTimeout for that particular realm at the realm
level. This can be done by going to the realm properties for that
realm, enabling Idle Timeout and setting the numerical value. This
value can be set in hours and minutes.

Create a WebAgent-OnAuthAcceptSession-Idle-Timeout response and set
its value in seconds to the desired idle session timeout for that
realm. Tie this response with an OnAuthAccept rule under that realm
and include the OnAuthAccept rule and
WebAgent-OnAuthAcceptSession-Idle-Timeout response in a policy
governing that domain.

In the example below the IdleSession has been set to 120 seconds for
realm /dummy/

When a user successfully logs into the dummy realm we can see an entry
in the smaccess.log showing the idle session timeout for this realm:

smaccess log entries show the idletimeout set to 120
----------------------------------------------------

  AuthAccept www2 [08/May/2009:13:56:40 -0500] "192.168.87.129 uid=testuser,ou=People, o=mydomain.com" 
  "myserver.mydomain.com GET/dummy/hello.html" [idletime=120;maxtime=0;authlevel=5;] [0]
  
  ValidateAccept www2 [08/May/2009:13:56:40 -0500] "192.168.87.129 uid=testuser,ou=People, o=mydomain.com" 
  "myserver.mydomain.com GET/dummy/hello.html" [idletime=120;maxtime=0;authlevel=5;] [0]
  
  AzAccept www2 [08/May/2009:13:56:40 -0500] "192.168.87.129 uid=testuser,ou=People, o=mydomain.com" 
  "myserver.mydomain.com GET/dummy/hello.html" [8157a8c0-01f4-4a047256-0c40-010908cc] [0]

After 120 seconds when the user tries to access the same resource
again in the same browser window a timeout message is thrown in the
webagent trace and the user is redirected to the authentication scheme
login page:

  [05/08/2009][13:59:11][500][3136][8157a8c0-01f4-4a0472ef-0c40-00cb1dff][CSmHttpPlugin::ProcessSessionCookie]
  [SMSESSION cookie has expired and will not be used to authenticate.]           
      
  [...]
  
  [05/08/2009][13:59:11][500][3136][8157a8c0-01f4-4a0472ef-0c40-00cb1dff][HandleCredCollectorChallenge]
  [Redirecting for credentials 'http://myloginserver.mydomain.com:8181/siteminderagent/forms
  /login.fcc?TYPE=33554433&REALMOID=06-882687cf-0ba0-4d49-a332-8fc2db8b2653&GUID=&SMAUTHREASON=0&METHOD=
  GET&SMAGENTNAME=-SM-7HjqXMxdZMsmzmQMvT4yRw7ijviUPAE4TDXi3cSIF4B%2byOLAdO1ByRj6FqLANmAQ&TARGET=
  -SM-http%3a%2f%2fmyloginserver%2emydomain%2ecom%2fdummy%2fhello%2ehtml'.]  

In the corresponding HTTP headers for this transaction after user gets
timed out we can see that the SMSESSION cookie gets set to LOGGEDOFF

  GET /siteminderagent/forms/login.fcc?TYPE=33554433&REALMOID=06-882687cf-0ba0-4d49-a332-8fc2db8b2653&GUID=
  &SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-7HjqXMxdZMsmzmQMvT4yRw7ijviUPAE4TDXi3cSIF4B%2byOLAdO1ByRj6FqLANmAQ&
  TARGET=-SM-http%3a%2f%2fmyloginserver%2emydomain%2ecom%2fdummy%2fhello%2ehtml HTTP/1.1         
  Accept: */*       
  Referer: http://myloginserver.mydomain.com:8181/siteminderagent/forms/login.fcc?TYPE=33554433&REALMOID=
  06-882687cf-0ba0-4d49-a332-8fc2db8b2653&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=
  -SM-7HjqXMxdZMsmzmQMvT4yRw7ijviUPAE4TDXi3cSIF4B%2byOLAdO1ByRj6FqLANmAQ&TARGET=-SM-http%3a%2f%2fmyloginserver
  %2emydomain%2ecom%2fdummy%2fhello%2ehtml         
  Accept-Language: en-us       
  UA-CPU: x86       
  Accept-Encoding: gzip, deflate       
  If-Modified-Since: Fri, 24 Apr 2009 16:57:33 GMT       
  If-None-Match: "3441c6c2fdc4c91:8ad"
  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727) 
  Cookie: SMSESSION=LOGGEDOFF 
  Connection: Keep-Alive       
  Host: myloginserver.mydomain.com:8181

Thus, the EnforceRealmTimeouts was correctly enforced at the realm
level.