Symantec Access Management

Hi Guys,

We are facing an issue which is related to the SiteMinder response headers and its Cache. The following is the scenario:

1. User login into the application and lands in a page where he needs to enter few details and submit to the ODBC database, when he logins/authorizes a SM response header is triggered which contains an empty value say it is "lastname" because ODBC database does not contain the lastname value say for this case, so once he lands on a page user updates his lastname and submits to the database and the application redirects back the user to the same page again.

2. So when he lands on same page again, he should be displayed with the "lastname" (guess readable/editable option is available on page) but it is not happening . I am guessing the following reasons:

• as SM maintains the user authorization cache, once the response triggered it makes entry in the cache on policy server side for a particular session.
• once the user is back to same page after updating the lastname, the response will not get triggered within this small interval because the cache has the same response and it is using its cache entries, instead of fetching the updated results from the ODBC database.
• the webagent response has the option "cache" and "recalculate the interval"
  • for obvious reason of performance we have selected "Cache"  option.
  • if we select the "recalculate the interval" say 2 seconds, webagent polls policy server and policy server calls to the ODBC database for every 2 seconds which would degrade the performance, might not be very large for a single response but still it has a impact which we dont want to use this feature.
• 25% of the random entries (from random articles i came to know, i was thinking it would be FIFO) of cache is flushed when it reaches the "cachemaxtimeout" value in the sm.registry, so this issue might resolve when the traffic is very high, but while testing with single user we are seeing this issue.

So we have two options as workaround:

1. First update the lastname submit to the database, and display "lastname" on the different page where it has different response name but the same parameters configured, so that siteminder can see this as new response and fetch the data from the database.

2. use the "Recalculate the interval" option giving 2 seconds.

Unfortunately neither of the above don't work for the follwoing reason

point 1 - the application team says it is a very big change, for point 2 - there would be impact on SiteMinder performance.

So, any minds who can help with the third option to solve this?

Thanks,

Ravi

From application side, I would do following:

1. Modify the code to set LastName as following:

     a) check if "lastname" cookie exist, if it does, read  and set the value from cookie.

     b) if the cookie doesn't exist  , set the value from the response header returned by SiteMinder.

2. After the successful database update of the LastName field, create/updtae " lastname" cookie with the new value.

3. During logoff delete this cookie.

Pros:

====

1. Increased performance as the Siteminder need to read this attribute only once. Second time onwards, the value will be read locally from cookie.

Con:

====

1. If the LastName update happens outside of the current user session, it will not be reflected until user logs out and logs back in.

That is my 2 cent.

Hope this helps.

Cheers,

Ujwol Shrestha

Hi Ravi,

How did this go ?

Hi Ujwol,

Thanks for the reply and the tweak suggested. I will tell to application team guys to do this and let me see their response.

Generally, few of the portals here is very complicated and small change in their application would make **** to them and they don't do any changes and put all pressure on SiteMinder guys .

Thanks,

Ravi

That is called passing the ball game :).

Thanks for the update. Unfortunately, there is nothing much you can do from SiteMinder side for this requirement.

Hi Ravi,

Since the Agent caches the Resource and it's Responses per user, if you change the resource, you will make the agent go to the policy server to reach the responses, since it does not have the Resource in cache.

So, if your landing page is http://www.something.com/pages/UpdateDetails.aspx, on redirect back to ChangeDetails page, ask the dev guys to append a meaning-less query string value, http://www.something.com/pages/UpdateDetails.aspx?timestamp=128778374

For this to work though, you might need to set IgnoreQueryString ACO to no, but I am not sure.

This is quick and dirty solution, but it will surely work.

Another solution, which is much more customer experience friendly, is to have all the user management (e.g. change user details) pages on a different ACO than your company business site.

In that ACO, you can set MaxResourceCacheSize and MaxSessionCacheSize to 0 thus disabling the cache only for user management pages, Making the agent reach the policy server on each user action.

Best of luck,

Michael.

Hi Michael,

Thanks for another tweak, we have already suggested similar kind of tweak redirecting to the different protected page instead of same, where it will not be stored in resource cache, and new response with same values bind to it in the policy make another call to policy server to fetch the new updated values. But the portal is very huge and complex already protected by siteminder and they are not ready to make the changes.

Still your tweak make sense with least modification, but again modifying the ACO parameter is a big challenge, everything is interlinked one another here . I will see whichever is best possible solution and try to implement.

Thanks,

Ravi