Tech Tip : CA Single Sign-On : Can access existing session from different browsers after Session Assurance setup

Document created by Albert_Fernandez Employee on Nov 10, 2017
Version 1Show Document
  • View in full screen mode

Issue:

After setting up Session Assurance, we are testing if the feature works by accessing first from a browser to the protected resource to generate the user session, and then from a different browser we replay the session. We are seeing the user is being able to access to the resource, when it is expected to be challenged for credentials again.

 

Cause:

By default, the DeviceDNA Refresh Interval is set to 300 seconds, which specifies the amount of time the DeviceDNA associated with a user is valid. Only user without a valid DeviceDNA are redirected to the Endpoint where the server obtains current DeviceDNA for the user. If the Endpoint has the DeviceDNa refresh interval set to 300 seconds, and the time between both access requests is lower than this, the server checks via Session Assurance to check the session validity.

 

Environment:

Policy Server 12.52SP2 on windows 2012 R2

CA Access Gateway 12.52SP1CR05 on Windows 2008 R2

 

Resolution:

You may change the DeviceDNA Refresh Interval value to a lower value to adjust it to your needs as follows: Access your AdminUI, and go to: Policies > Global > Session Assurance Endpoints, and for your defined Endpoint modify the DeviceDNA Refresh Interval value.

When testing the feature, ensure between both access requests the time is higher than the current DeviceDNA Refresh Interval.

 

Additional Information:

R12.52 SP1 - How to configure Enhanced Session Assurance with DeviceDNA during an upgrade 

 

KD : TEC1392984

Attachments

    Outcomes