Symantec Access Management

  • 1.  CA SSO – Enforce Realm Timeout Question

    Posted Feb 13, 2016 10:58 PM

    CA SSO – Enforce Session/Realm Timeouts Problem

     

    Hi, we have a fairly complex environment (many application credentials, TLDs, etc.) so it is imperative that we properly manage/end all credentials in our environment established from a CA SSO session.  We have setup our own custom solution that enables us to ‘track’ all credentials (apps/TLDs/etc.) ever issued for our users and then later ‘kill’ all of these credentials safely when a user does a logout.  What I want to do is this extend this behavior for free when a session expires.

     

    I’ve been playing around with session timeouts.  For simplicity in this discussion, I’d like to use the OnAuthAccept rules coupled with WebAgent-OnAuthAccept-Session-Max-Timeout and WebAgent-OnAuthAccept-Session-Idle-Timeout responses. I have the appropriate ACO settings setup to use max- and idle-timeout URLs.  For our needs, the URLs will force a safe logout before a user sees a timeout message.

     

    This is working fairly well – except for one use case.

     

    There is one scenario where I lose the ability to control how the web agent does a redirect for a timeout event.  The scenario is:

     

    1. Login and hit first hit Realm A that uses larger max- and idle-timeout values (60 second max/idle timeout). 
    2. Wait for the credential to expire as defined in the next realm to be visited that has a shorter timeout -- Realm B (30 second max/idle).  Thus, I wait 30 seconds.
    3. After 30 seconds, I visit Realm B.  What I observe is I’m challenged by the authentication scheme specified for Realm B and not redirected to a timeout URL.


    This is NOT what I’d expect/want. I need the max/idle timeout URLs in the ACO to be invoked for this use case to ensure a proper logout is done for our users.

     

    If I perform the opposite test of hitting the ‘most’ restrictive realm first (Realm B) and wait for the timeout to occur before hitting the ‘less’ restrictive Realm A, I get redirected to the timeout URLs defined in the ACO attributes as expected.

     

    What am I doing wrong or misunderstanding with this setup?

     

    Cheers!



  • 2.  Re: CA SSO – Enforce Realm Timeout Question
    Best Answer

    Posted Feb 14, 2016 07:16 PM

    Hi Jim,

     

    I have verified this to be a bug in our code.

    When it determines that the session is idle/max out , due to enforcing realm time outs, it is not honoring the IdleTimeOutUrl. It just redirects to the login page.

     

    See below :

     

    [02/15/2016][11:02:04][4408][3972][CSmLowLevelAgent.cpp:1240][AuthenticateUser][239b0220000051f50000000051f5239b-1138-56c1157c-0f84-03c43a9e][*127.0.0.1][][agent-vm1][/test/][guest][Enforcing realm timeouts, session expired.]

    [02/15/2016][11:02:04][4408][3972][CSmResponseManager.cpp:260][CSmResponseManager::ProcessResponses][239b0220000051f50000000051f5239b-1138-56c1157c-0f84-03c43a9e][*127.0.0.1][][agent-vm1][/test/][guest][No plugins responded, returning SmNoAction.]

    [02/15/2016][11:02:04][4408][3972][CSmHighLevelAgent.cpp:638][ProcessRequest][239b0220000051f50000000051f5239b-1138-56c1157c-0f84-03c43a9e][*127.0.0.1][][agent-vm1][/test/][guest][AuthenticationManager returned SmNo or SmNoAction, calling ChallengeManager.]

    [02/15/2016][11:02:04][4408][3972][CSmHttpCredCore.cpp:1508][CSmHttpCredCore::DoFormsChallenge][239b0220000051f50000000051f5239b-1138-56c1157c-0f84-03c43a9e][*127.0.0.1][][agent-vm1][/test/][guest][Executing forms challenge.]

    [02/15/2016][11:02:04][4408][3972][CSmHttpCredCore.cpp:1779][CSmHttpCredCore::DoFormsChallenge][239b0220000051f50000000051f5239b-1138-56c1157c-0f84-03c43a9e][*127.0.0.1][][agent-vm1][/test/][guest][Redirecting to credential collector '/siteminderagent/forms/login.fcc?TYPE=167772161&REALMOID=06-8a714121-b783-4980-9cfc-ad3d2b127602&GUID=0&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-GmAWkS69BMY7CmdlT11uPS6oiTqMtZzuiPV%2b%2fuizSE2ofuXnh6W9wKkKHE28zOjO&TARGET=-SM-http%3a%2f%2fvm1%2eujwol%2ecom%2ftest%2f'.]

    [02/15/2016][11:02:04][4408][3972][SmPluginUtilities.cpp:399][HandleCredCollectorChallenge][239b0220000051f50000000051f5239b-1138-56c1157c-0f84-03c43a9e][*127.0.0.1][][agent-vm1][/test/][guest][Redirecting for credentials '/siteminderagent/forms/login.fcc?TYPE=167772161&REALMOID=06-8a714121-b783-4980-9cfc-ad3d2b127602&GUID=0&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-GmAWkS69BMY7CmdlT11uPS6oiTqMtZzuiPV%2b%2fuizSE2ofuXnh6W9wKkKHE28zOjO&TARGET=-SM-http%3a%2f%2fvm1%2eujwol%2ecom%2ftest%2f'.]

    [02/15/2016][11:02:04][4408][3972][CSmHighLevelAgent.cpp:662][ProcessRequest][239b0220000051f50000000051f5239b-1138-56c1157c-0f84-03c43a9e][*127.0.0.1][][agent-vm1][/test/][guest][Challenge Manager returned SmExit, end new request.]

     

    Next Action

    =========

    Please open a support ticket with us and ask the engineer to refer to this community post. I shall be able to provide them with the needed help.

     

    Cheers,

    Ujwol



  • 3.  Re: CA SSO – Enforce Realm Timeout Question

    Posted Feb 15, 2016 12:20 PM

    Thanks for the quick reply!!!   It is good to know that this is the expected behavior.

     

    Two questions.

     

    1) We are on R12 for now.  I assume this behavior exists in R12.52 too?   My assumption is the bug fix will only be done for R12.52 goring forward?

     

    2) When a credential is set a login time due to realm settings -- does this truly enforce maximum timeouts that can 'ever' be used for user's session?  Or if I visit a new realm, might realm-level timeouts increase/supersede timeout values defined when the session was created.  My assumption 'now' is that this is the case.

     

    Cheers,

    Jim



  • 4.  Re: CA SSO – Enforce Realm Timeout Question

    Posted Feb 15, 2016 04:39 PM

    My answers inline :

     

    1) We are on R12 for now.  I assume this behavior exists in R12.52 too?   My assumption is the bug fix will only be done for R12.52 goring forward?

    Ujwol : I reproduced the issue in r12.52 SP1. If you report this issue, then we will try to fix this in the next CR for r12.52 Sp1.

     

    2) When a credential is set a login time due to realm settings -- does this truly enforce maximum timeouts that can 'ever' be used for user's session?  Or if I visit a new realm, might realm-level timeouts increase/supersede timeout values defined when the session was created.  My assumption 'now' is that this is the case.

     

    Ujwol : This depends on whether you have configured EnforceRealmTiimeOut ACO parameter and the associated responses or not.

    Have a look at this :

    Enforce Timeouts across Multiple Realms - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation

     

    Having said that by default even if the user navigates across different realm with varying timeout setting, the user session timeout is still governed by the first realm  where the session was established at the initial login.

     

    Cheers,

    Ujwol