Symantec Access Management

  • 1.  Keep Alive Ping from Service Provider

    Posted Jan 14, 2015 11:29 AM

    Hi All,

     

    We have a requirement where, in a federated enviornment portal team ( IDP side ) want to extend user session based on service provider.

     

    Is there a way  by which Service provider can keep alive the session on IDP side on real time basis based on client activity on vendor end.

     

    For example if the session time or Ideal time out at IDP end is "15 min", however if SP side client is active for "20 min", then SP should have capabilities to extend the session of IDP by another 5 min.

     

    Is there a way to achive  this, what could be the possible way. Any help or guidance is appreciated.

     

    Thanks,

    Abhi



  • 2.  Re: Keep Alive Ping from Service Provider

    Posted Jan 14, 2015 11:03 PM

    Abhi

     

    One possibility :

    A crude way would be to re-initiate forcefully a AuthnRequest from SP Side based on IdPs Session TimeOut Value (e.g. if SP knows that IdP side timeout is 15mins, then initiate an AuthnRequest automatically every 12mins). It does kill the user experience. Remember this means if a user is browsing on SP Side, he would suddenly see some rolling-pages on his browser before he gets to see his content that he was trying to reach. This also involves the complex logistics of having to remember using relaystate (& any not lost data in transition) to get the user back to the same state as he was in / traversing.

     

    Could you tell me what solution is being used on IdP Side and SP Side. Is it SiteMinder on both sides?

     

    Regards

     

    Hubert



  • 3.  Re: Keep Alive Ping from Service Provider

    Posted Jan 20, 2015 01:19 PM

    Thanks Hubert for the reply.

     

    We are acting as an IDP site and its an IDP initiated scenario.

     

    There could be hetrogenous plateform at SP side , not specifically Siteminder. ( setup is not yet completed)

     

    I see in some CA dicussion saying:-

     

    This request doesn't have to be an SP Initiated AuthnRequest. You could have another resource (separate from Federation) that
    is protected on your IDP side. The SP can initiate a request to access this resource in the background every 12 mins or so even if the transaction is IDP
    Initiated. 

    The only way to achieve your requirement is through a custom solution.

     

    What do you think about this.

     

    Thanks,

    Abhinav Kumar



  • 4.  Re: Keep Alive Ping from Service Provider
    Best Answer

    Posted Jan 27, 2015 04:28 PM

    Abhinav

     

    I see some security concerns that most Organisations may have for allowing keepalives from outside, from partner organisations. However since you are IdP and if you are not violating any security policies of your organisation it is okay. I'd suggest you speak internally (to Security Team) before implementing keepalive pings from outside. One thing you need to take care is browser caching in case of such an implementation. The resource being called every 12mins needs to be unique, such that it is not served from browser cache. You can host a static keepalive resource e.g. http://org.idp.com/contect/keepalive.html. However when the SP Side application calls, it has to be unique e.g. http://org.idp.com/content/keepalive.html?asbcsjhdsk

     

    The randomized query parameter at the end would make the request look unique every time the keep alive is called. Thus ensuring the content is not called from Cache.

     

    Also remember the extension of Idle Timeout is always as per what is configured in Realms on CA Single Sign On (a.k.a SiteMinder). So if Idle Timeout is set as 15mins, then on refresh, the counter is reset to 15mins again. I'd like to highlight this point because your statement in the starting thread suggest if user stayed on SP for 20mins, the extend IdP by 5mins (20 - 15). This is not true, cannot be extended by 5. It would extend IdP by 15mins OOB.