Symantec Access Management

Tech Tip : CA Single Sign-On : SMSESSION Validation success even for disabled user 

Jun 13, 2018 10:04 AM

Question:


Scenario is that we are validating SMSESSION and we have the following queries:

 

TEST 1:

1. User logs in and has a valid SMSESSION.
2. User account is locked temporarily in another session i.e. new login
call and the user is locked/disbaled.
3. Tried using the existing SMSESSION we had captured for success
scenerio and noticed that the login is permitted i.e. SMSESSION is
still validated.

 

Here, the smsession is validated even though the user is locked out in
another session. Does SM policy server check the user status
i.e. sm-disabled-flag while validating the smsession?

 

 

TEST 2:

1. User logs in and has a valid SMSESSION.
2. Change the UD's DSN
3. Tried using the existing smsession we had captured for success
scenerio and noticed that the login is permitted i.e. SMSESSION is
still validated.

 

Here, still, the smsession is validated even though the UD is using incorrect
DSN. Does the SM disambiguate while the validation session call?


TEST3:

1. User logs in and has a valid SMSESSION.
2. Change one of the user attributes
3. Tried using the existing smsession we had captured for success
scenario and noticed that the login is permitted i.e. SMSESSION is
still validated.

Here, the user attribute change is not reflected. Does PS check for
any user attributes changes while doing validatesession call?

 

Questions:

 

1. Does SM policy server check the user status i.e. sm-disabled-flag
while validating the smsession?

 

2. Does the SM disambiguate while the validation session call?

 

3. Does PS check for any user attributes changes while doing
validatesession call?

 


Answer:


1. Yes, but if the webagent cache validates the session, the Policy Server will never check it.

 

2. Yes, again if the web agent caches the session, policy server won't check it. Furthermore, the Siteminder policy server has a user cache.

 

3. Yes, if it is not in web agent or policy server user cache.

 

Note:

You can configure the webagent cache to have a lower lifespan. This will cause the smsession to expire sooner. However, the drawback to this is that there will be more calls made to the policy server which might affect its performance.

 

KB000099641

Statistics
0 Favorited
1 Views
0 Files
0 Shares
0 Downloads

Related Entries and Links

No Related Resource entered.