Symantec Access Management

  • Private Community

  • 1.  SMSESSION timeout

    Posted Jun 13, 2016 09:55 AM

    Hi,

     

    When accessing a CA SSO (ver. 12.51) protected web application I get logged out after 2 hours even when not idling for more than minutes. I think that is the default CA SSO setup. But is it possible to change that behavior so that "sm_timetoexpire" will reset upon new requests and therefore having the user logged in until idle timeout expires?

     

    Regards,

    Fredrik



  • 2.  Re: SMSESSION timeout

    Posted Jun 13, 2016 10:12 AM

    Have you increased the max session time for the realm?  Sounds like you are hitting the max session time for the realm which defaults to 2hrs.



  • 3.  Re: SMSESSION timeout
    Best Answer

    Posted Jun 13, 2016 10:17 AM

    Hi Fredrik,

     

    It could be due the MaxTimeout set in the realm configuration.

    maxTimeout (int)

    Specifies the maximum time, in seconds, a user can access the realm before re-authentication is required. The default is 7200 (2 hours).

     

    Yes it is possible to change the behavior, you can make the changes based on your business requirement.

     

    Thanks,

    Sharan



  • 4.  Re: SMSESSION timeout

    Posted Jun 14, 2016 02:34 AM

    Hi,

     

    Is there any security considerations to be made before increasing the Session-Max-Timeout value to for example 12 hrs?

     

    Thanks,

    Fredrik



  • 5.  Re: SMSESSION timeout

    Posted Jun 14, 2016 09:41 AM

    Hi Fredrik,

     

    As you know, It determines the maximum amount of time a user session can be active before the Agent challenges the user to re-authenticate. The session will be lost after the timeout and There should not be any risk due to this.

    In your example, You are planning to increase up to 12 hours, so if the user is not idle for 12 hours then he could get the login page to re-authenticate.

     

    Thanks,

    Sharan



  • 6.  Re: SMSESSION timeout

    Broadcom Employee
    Posted Jun 14, 2016 03:49 PM

    Additional info

    Timeouts are set based on initial Realm user authenticated - default max is 2 hours

     

    Technote link provides info on changing the value as user navigate through the system:

     

    How to Enforce Timeouts across Multiple Realms



  • 7.  Re: SMSESSION timeout

    Posted Jun 15, 2016 04:22 AM

    Thanks, I am satisfied with your answer.

    Regards

    /Fredrik



  • 8.  Re: SMSESSION timeout

    Posted Jun 16, 2016 12:37 PM

    FredrikF

     

    There is a check box which enables MaxTimeout and IdleTimeout. If you uncheck MaxTimeout, then MaxTimeout is disabled. Only IdleTimeout would be enabled. Thus as long as an User remain active his timeout would not expire and if User remains idle it would timeout.

     

    This was your query "But is it possible to change that behavior so that "sm_timetoexpire" will reset upon new requests and therefore having the user logged in until idle timeout expires?"



  • 9.  Re: SMSESSION timeout

    Posted Jun 16, 2016 02:15 PM

    But of course!!! I should have been able to figure that out. Exactly what I was asking for. Thank you Hubert.

    //FredrikF