Symantec Access Management

  • 1.  Can CA/SSO provide login status data to applications?

    Posted Feb 21, 2018 05:52 PM

    Can CA/SSO SiteMinder provide login status data of a user population to an application? We have a use case where an application wants to display login status of users on an application dashboard, rather like how an online messenger displays status of users (Online, Away, Offline etc).



  • 2.  Re: Can CA/SSO provide login status data to applications?

    Posted Feb 22, 2018 01:59 PM

    WHAT COULD BE DONE

    The Application can keep looking for key CA SSO Headers. These Headers are only available when a Valid SMSession exists. Based on this info the Application knows that the user is still logged in. This information is available on content that is front-end by a CA SSO WebAgent. The key is being front-ended by a CA SSO WebAgent / WebServer. Doesn't matter if the actual resource is protected OR unprotected by CA SSO. As long as a valid SMSession exist CA SSO populated these headers on protected and unprotected content.

     

    WHAT COULD NOT BE DONE

    CA SSO cannot present any other status other than logged in OR logged out. If we are comparing to an online messenger, that is not supported within CA SSO. Online Messengers use Presence Service. There is no support for Presence Service in CA SSO. Further more CA SSO works with Web Application. One can stay active on a laptop even without accessing a Web Application (e.g. I am doing development work / coding of a thick client OR preparing a Presentation).

     

     

    More about Presence Service.

    https://en.wikipedia.org/wiki/Presence_information

    https://en.wikipedia.org/wiki/Presence_service

    https://support.office.com/en-us/article/Understanding-presence-and-member-status-and-instant-messaging-311996a4-e202-4ef7-bdbe-0e14814e7ee0

     

     

    Regards

    Hubert



  • 3.  Re: Can CA/SSO provide login status data to applications?

    Posted Feb 22, 2018 03:33 PM

    Hi Hubert,

     

    Thanks for the response—it helps. So you are saying that the web application can access the headers of every logged in user correct? Would there be some limit as to the number of headers will be available real time (depending on web agent or web server cache) or some other constraint?

     

    Thanks,

    Jaime

     

    Jaime Britton | Deloitte Consulting

    PA Department of Human Services, Insurance, and Aging

    Mobile #: (717) 215-1565

    www.dhs.state.pa.us<http://www.dhs.state.pa.us/>



  • 4.  Re: Can CA/SSO provide login status data to applications?
    Best Answer

    Posted Feb 22, 2018 03:47 PM
    https://docops.ca.com/ca-single-sign-on/12-7/en/configuring/web-agent-configuration/web-application-protection/default-http-headers-used-by-the-product

    CA Single Sign-On default HTTP headers instruct applications how to collect user data and apply that information to display personalized content for each user.

    As part of the Web application environment, the CA Single Sign-On Agent submits default HTTP headers to the web server, and the web server makes them available for Web applications. You can use these headers to include functions and enable your Web applications to personalize content. Headers can store information such as a user’s name and the type of action a user is authorized to perform.

    The Agent sends these headers regardless of whether or not they are called from a Web application; however, you can disable some of these headers so that they do not use up header space.

    The following CA Single Sign-On default HTTP headers are available for Web Agents:

     

     

     

    So you are saying that the web application can access the headers of every logged in user correct?
    Yes. There are default CA SSO headers which are available on protected and unprotected URI (URI's which are filtered by a CA SSO WebAgent on a WebServer). See above table.

     

     

    Would there be some limit as to the number of headers will be available real time (depending on web agent or web server cache) or some other constraint?

    Yes. There is a limit on headers. Typically this limit is imposed at various layers e.g. WebServer / Proxy Module / App Server. You'll have to tweak the relevant component configuration to expand the limit, if the limit is reached.

    https://stackoverflow.com/questions/686217/maximum-on-http-header-values

     

    From CA SSO perspective you can disable the default headers using the following ACO parameters.

    https://docops.ca.com/ca-single-sign-on/12-7/en/configuring/web-agent-configuration/web-application-protection/default-http-headers-used-by-the-product#DefaultHTTPHeadersUsedbytheProduct-DisableDefaultHTTPHeaderVariables

    But in your case since you want to show status (i.e. Logged in OR Logged out), do not disable all default headers.

    You'd atleast need DisableUserNameVars=NO