Symantec Access Management

  • 1.  Application is redirecting to SSO URL due to absence of login-token in response from CA Federation Manager

    Posted Aug 24, 2016 05:00 AM

    Hi All,

     

    We have one application called www.abc.com, which is federated with Windows NTLM Authentication, now users are reporting in every15 min if they access particular URL https://www.abc.com/content/dam/***-***/documents/en/***-***-xx/***-***/2016/xx-reports-***-q1-2017.pdf  instead of showing pdf file it redirect user to SSO Service URL: https://***.abc.com/affwebservices/public/saml2sso?SPID=www.abc.com/ and once SAML token is assigned it redirect user to  ACS URL

     

    while debugging I found that every 15 min browser send request containing fedSESSION and login-token for validation but in response it is receiving login-token=NULL, hence application dispatcher is redirecting it to SSO service URL to get updated login-token, and while redirecting it is missing saml_request_path and hence landing user to ACS URL.

     

    Can someone please let me know what is login-token and why it is validating in every 15 min. ? Why saml_request_path is unable to keep original destination path ?

     

    Please let me know if you need more insight for this case.

     

    Regards

    Prashant

     

     



  • 2.  Re: Application is redirecting to SSO URL due to absence of login-token in response from CA Federation Manager

    Posted Aug 25, 2016 01:38 AM

    Hi Prashant,

     

    Check the Target specify in the SP->IdP partnership. The target specified there becomes the default target resource (can be overriden with RelayState query parameter).

     

    Also, check the idle timeout specified for the target application.



  • 3.  Re: Application is redirecting to SSO URL due to absence of login-token in response from CA Federation Manager

    Posted Aug 25, 2016 09:06 AM

    Thank wonsa03 for your reply.

     

    but we are not using any relay state parameter in SP->IdP partnership, also we have Idle timeout set as 2hrs. so we can wipe out the idea of having timeout issue, since redirection is happening sometimes in 1 min as well, so don't think issue of timeout.

     

    I also observed that during the redirection in SSO service URL it tries to set two fedSESSION cookie in browser (.abc.com and abc.com ) and in ACO we have defined cookie domain=.abc.com so only one cookie has to be set with .abc.com

     

    could this be fedSESSION cookie conflict issue ? 

     

    Regards

    Prashant



  • 4.  Re: Application is redirecting to SSO URL due to absence of login-token in response from CA Federation Manager

    Posted Aug 25, 2016 07:40 PM

    Hi Prashant,

     

    The agents protecting the PDF and Federation Authentication URL are referencing same ACO? Worth to check the cookiedomain for both this agents.



  • 5.  Re: Application is redirecting to SSO URL due to absence of login-token in response from CA Federation Manager

    Posted Aug 26, 2016 06:27 AM

    Hi wonsa03,

     

    Thanks for your reply.

    But we are not using webagent instead we are using CA secure proxy server for authentication, also yesterday we did some debug  from AEM (Adobe Experience Manager) side (acting as Service provider) and found that saml_request_path is set by AEM to redirect user to original destination URL after federation journey completes and SAML assertion is sent to /saml_login. this is where the connectivity is miss, saml_request_path is not keeping original destination path, hence it is redirect to www.abc.com URL,

     

    Reference link :- Demonstration of AEM and SAML Integration under Limitation section

     

    we have opened a ticket with AEM to check why saml_request_path value is changing.

     

    Regards

    Prashant



  • 6.  Re: Application is redirecting to SSO URL due to absence of login-token in response from CA Federation Manager
    Best Answer

    Broadcom Employee
    Posted Aug 30, 2016 04:40 PM

    Hi Prashant,

     

    I have never heard CA SSO uses login-token cookie in Federation.

    Based on your use case description, this sounds a federation use case with sharepoint partner, since you mentioned windows NTLM Authentication.

    If my guess is correct, then the timeout value kicked in from sharepoint (Microsoft) side partner.

    It is common for sharepoint only limit use access for 15 minutes if document is sensitive.

     

    Check with your partner side or one of your component see if they have this token limit set.

     

    SharePoint Authentication and Session Management | Rob Garrett – Blog 

     

    Hope this helps.

     

    Hongxu