Patrick-Dussault

Tech Tip : CA Single Sign-On : Agent for SharePoint doesn't seem to handle Session Assurance ticket

Discussion created by Patrick-Dussault Employee on Nov 22, 2016

Issue:

 

When I run Agent for SharePoint, the Session Assurance
feature doesn't work:

 

I replay a session by copying the SMSESSION cookie from
Chrome to Firefox Browser, I get authenticated without having
to login again in SharePoint applications.
 
Environment:
Policy Server 12.52SP2 Agent for SharePoint 12.52SP1CR04 SPS 12.52SP1CR05


Cause:

 

Device DNA Session Assurance is implemented in
SPS only at the moment.

 

As mentionned in the documentation :

 

The application that drives the DeviceDNA checks is hosted
on by the CA Access Gateway. This proxy server can perform
the standard functions, such as web proxy or SAML federation
functions or it can be a separate stand-alone instance that
is dedicated to servicing the Enhanced Session Assurance
transactions. The CA Access Gateway performance is also
dependent on a number of parameters such as, but not limited
to, authentication and authorization transactions per second,
the ratio of authentications to authorizations within the
environment, the length of user sessions, and the frequency
of revalidations.

 

https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/policy-server-configuration/enhanced-session-assurance-with-devicedna

 

The Agent for SharePoint handles more complex flow involving federation
and POST requests, and with SPS standalone, the integration of Session Assurance
with Agent for SharePoint goes out of support.

 

For your reference, here are some limitation of the Session Assurance :

 

DeviceDNA doesn't support POST requests :

 

https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/policy-server-configuration/enhanced-session-assurance-with-devicedna/how-to-configure-enhanced-session-assurance-with-devicedna#HowtoConfigureEnhancedSessionAssurancewithDeviceDNA%E2%84%A2-LimitationsofEnhancedSessionAssurancewithDeviceDNA%E2%84%A2

 

Agent for SharePoint uses auto POST requests :

 

https://docops.ca.com/ca-single-sign-on-agent-for-sharepoint/12-52-sp1/en/reference/saml-autopost-frequency

 

As such, the Agent for SharePoint needs to be enhanced to handle properly Session Assurance.


Resolution:

 

To get Session Assurance integrated in Agent for SharePoint, please open an
Idea on the Security page :

 

https://communities.ca.com/message/241729406

 

More, to help you increase session security, you might take a look at the SessionLinker
feature in the Agent for SharePoint :

 

https://docops.ca.com/ca-single-sign-on-agent-for-sharepoint/12-52-sp1/en/configuring/use-the-session-linker

 

KB : TEC1460869

Outcomes