After the 20 min idle timeout, Siteminder doesn't allow the user to reauthenticate.

book

Article ID: 74766

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

After a timeout of 20 minutes from inactivity in an application, Siteminder will not accept credentials when attempting to authenticate.  We are forced to close the browser to re-authenticate. 

Cause

There are circumstances under which the Web Agent may set a host-only session cookie, such as if the CookieDomainScope parameter is configured with too high a value, or the cookie domain cannot be resolved. This can result in the client having multiple valid session cookies.  Upon the idle timeout, only one of those session cookies can be invalidated.  This can leave the user's session in an indeterminate state, causing unpredictable behavior.  

In this environment the users were also receiving session cookies without any corresponding set-cookie statement in the http trace data.  This can happen if the IIS cache is enabled.

Environment

Release: ESPSTM99000-12.51-Single Sign On-Extended Support Plus
Component:

Resolution

IIS server was setting a host-only cookie that could not be invalidated by the logoff URI feature.  Verify that the CookieDomainScope is not set to too large a value and that cookie domain resolution is working as expected.

Set Agent Configuration Object parameter IISCacheDisable='YES' on the IIS agent to assure IIS does not serve cached session cookies to clients.

Additional Information

Using an HTTP trace tool, such as Fiddler, is invaluable for analyzing and troubleshooting cases such as this.