Federation GUID cookie has expiration of only 3 minutes

book

Article ID: 7361

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

We're running Federation with one of our partners. When the Service Provider generates an SAML 2.0 AuthnRequest over HTTP-POST and the user takes more than 3 minutes to complete the authentication process, the transaction fails with a 400 error. Why ? How can we fix this ?

Cause

For POST Authnrequest Bindings, we generate a persistent GUID cookie. By default, we set this cookie expiration time to 3 minutes. Once the expiration time has passed, we end up with an error.

Environment

Policy Server Version: 12.52 SP1 CR5Policy Server OS: RHEL 6.8SPS Version: 12.52 SP1SPS OS: RHEL 6.8

Resolution

This is fixed in Policy Server, Policy Store structure ( FedObjects.xdd, FssSmObjects.xdd ), Web Agent Option Pack and AdminUI 12.52SP1CR08. You have to upgrade all these components to get the functionality from this fix.

> Added new text field with name "GUID Cookie Validity Durartion (Seconds), in SAML2, IDP-SP Partnership, to provide value, when AuthnRequest POST Binding is selected. This value should be >=180 and <=9999.