Symantec Access Management

  • 1.  Clear SMSession when cookie provider is used

    Posted Sep 18, 2018 12:18 AM

    We have a Custom Login application (Login) with domain name (x.abc.com) implemented as a single Login gateway for all the enterprise applications. The login app is SM protected and have cookie provider configured. The Login screen post credentials to login.fcc page for authentication. I have an enterprise web app (app1)  with different domain name (y.xyz.net) and is siteminder minder protected using SM agent.  

     

    We are not using SM Session store and session is controlled by login app (login) as SiteMinder was implemented in our environment  only 2 yrs back and custom SSO existed much before. App1 has asp.net form based authentication. When user  try to login to app1, user is redirected to Login app (gateway) and upon successful authentication is redirected to app1. If user is idle on app1 for 30 minutes, form session timeout happen and if user tries to click any link on the page, we want to log off and remove SMSession.

     

    All the solutions on the net, I have found doesn't describe clearly how to implement logout with example.

     

    Any help is appreciated as we are on a tight timeline!



  • 2.  Re: Clear SMSession when cookie provider is used

    Posted Sep 18, 2018 02:42 AM

    Hi Sandeep,

     

    As per my understanding,

    Login App with cookie domain x.abc.xom
    App1 with cookie domain y.xyz.net

    I assume that that cookie provider domain is "x.abc.xom" and when you are accessing the app1 and getting redirected to cookie provider for checking the existing session and finally you are getting authenticated and having cookies for both the domains in the browser.
    So if you want to remove session for app1 after the idle timeout then you need to set the following ACO parameters in app1 ACO.
    1. set "Enforcerealmtimeout=yes"
    2. OnAuthAccept response of Idle and Max Timeout set for the app1

     

    Thanks,
    Sharan



  • 3.  Re: Clear SMSession when cookie provider is used

    Posted Sep 18, 2018 09:40 AM

    Thanks Sharana for the response!

     

    Your assumption is correct. Login app is the gateway through which all the enterprise apps are authenticated. Session is controlled by this login app instead SiteMinder as we have different timeouts based on within and outside n/w traffic. Yes cookie provider domain is "x.abc.xom".

     

    The above provided solution works even if siteminder is not controlling the session or Policy store is not used for session?



  • 4.  Re: Clear SMSession when cookie provider is used

    Posted Sep 18, 2018 10:37 AM

    Hi Sandeep,

     

    Above solution is only applicable for siteminder.

     

    If you want your asp.net application to remove the session then you need to check from ASP.net end.

    I found below link which has few details on how to remove specific session. Please check it.

    c# - How to remove specific session in asp.net? - Stack Overflow 

     

    hope this helps.

     

    Thanks,
    Sharan



  • 5.  Re: Clear SMSession when cookie provider is used

    Posted Sep 18, 2018 01:12 PM

    The ASP.NET form Authentication session timeout is happening but SMSESSION is not getting cleared, even after explicitly setting the SMSESSION cookie to expire as on each http request, SM agent calls sm cookie provider and gets the cookie. I validated with Fiddler trace. If I create an html page (signOut.html) and add this page's relative path to the ACO LogoffURI parameter and redirect the user to this page on "Sign out" button click. I need to redirect user to the application to login again but SM cookie provider again gets the SMSession.



  • 6.  Re: Clear SMSession when cookie provider is used

    Posted Sep 18, 2018 01:41 PM

    It seems like we have not cleared the SMSESSION Cookie in Cookie Provider Domain. It seems like we are only clearing / logging off the Cookie in the local domain.

     

    Signout.html "MUST" include callouts to all Cookie Domains, including CookieProvider logoff page. Also all ACO's should have LogOffUri defined (including CookieProvider).

     

    Comprehensive Log Out - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation 

    How to Configure Full Logoff for Single Sign-on

    In a single sign-on environment, the session cookies are removed only from the local cookie domain and the cookie provider domain associated with the Web Agent. For single sign-on across multiple cookie domains, the full log-off feature of CA Single Sign-On does not automatically log a user off across all the cookie domains that the user has visited.

    To configure log-offs across multiple cookie domains, use the following process:

    1. Create one centralized log-off page that contains separate frames (or iframes) for the other cookie domains in your SSO environment. These frames can be a small size, such as 1x1 pixels.
    2. For each frame of the centralized log-off page in Step one, add a hyperlink to the Logoff Uri of the associated cookie domain. For example, if you have two other cookie domains, example.org and example.net, you would do the following steps:
      • Add a hyperlink to the Logoff Uri of example.org to one frame.
      • Add a hyperlink to the Logoff Uri of example.net to the other frame.
    3. Configure the LogoffUri of the cookie provider domain to point to the centralized log-off page. When the web server loads this log off page, the frames in the centralized log-off page call the logoff pages from the other cookie domains. The user is logged off from all the cookie domains at once.

    The following illustration shows an example of the use of a centralized log-off page:

    Logoff from multiple cookie domains using page with frames


  • 7.  Re: Clear SMSession when cookie provider is used

    Broadcom Employee
    Posted Sep 18, 2018 08:33 PM

    If you can redirect the user when the logout is desired, you can leverage the Web Agent's LogoffURI ACO parameter. and redirect the user to the URI you specify in this parameter  This will invalidate the SMSESSION cookie for the domain in which the logoff page is hosted/requested.  To invalidate all domain sessions, have each domain's logoff page load the logoff URI for each additional domain in which the user may have a session.  This will invalidate the SMSESSION cookie by setting it to LOGGEDOFF.

     

    For comprehensive logout, persistent sessions would be required.  Persistent sessions require a session store, and this is how sessions can be managed centrally.  Without storing sessions centrally, agents in the SSO environment have no way to know the session was logged off if a copy of the cookie is presented back to a web agent after log out but before session expiration.  As the session store does add overhead to authentication, validation, and logout, configuring comprehensive logout may not strike the right balance between performance and security for some customers, so it is worthwhile to evaluate the risk in context with your performance requirements.

     

    -Pete



  • 8.  Re: Clear SMSession when cookie provider is used

    Posted Oct 12, 2018 12:58 AM

    I was finally able to implement the Comprehensive Log Off in our environment.

     

    In my Custom Login Gateway application (x.abc.com), I created a SignOut resource. From my enterprise web app (app1) with different domain name (y.xyz.net), I'm calling SignOut resource of the Login Gateway app. Signout resource is SM protected and has iFrameset where each frame within the frameset has source referring to the protected resource on the enterprise application (app1). This protected resource on the enterprise application (app1) is defined as LogOffURI in the ACO of the enterprise app (app1).

     

    Thanks all for the guidance!!