Symantec Access Management

Did you know about these new ACO parameters?

By Madhusudhan Yoganath posted 07-04-2019 04:13 AM


In 12.8.2, we released new capabilities for the Access Gateway in Layer7 SiteMinder (formerly CA Single Sign-On), which can be configured using ACO parameters. Keep reading to see what these ACO parameters and the corresponding capabilities are.


The URITransform feature provides a method for modifying all URIs in designated requests that Access Gateway processes, from an external version seen by outside users to an internal URI more suitable for policy evaluation. For example, query parameters can be converted to positional pathname fields that match resources in the policy definition. The transformation pattern is configurable via the ACO parameter. The most important benefit is the ability to trigger a realm policy, based on the query data.

This ACO will transform the URI into a suitable form based on expression. This transformed URI is treated as a resource in the IsProtected call which would trigger the realm access policy at the Policy Server.  The new multi-valued ACO parameter “URITransform” contains the expression(s) for performing the transformation.

For example, if your incoming URI is /web/app1/?x=1&y=2 and you wish to transform it to /web/app1/2/1, then the pattern that must be provided in URITransform would be “/web/app1/:/web/app1/{{y:0}}/{{x:0}}”.


Some web applications make automatic HTTP requests behind the scenes even when a user is not actively using the application. For example, the Microsoft Outlook Web Access application makes HTTP requests even when the user is not actively using the application. An example as to why this would happen would be checking for new email on the server. These requests update the SMSESSION cookie so that the session never expires, even though the user has been idle. You can prevent the Access Gateway server from creating or updating session cookies during this background request so that sessions expire typically. The parameters which exist to implement this behavior are OverlookSessionForMethods and OverlookSessionForMethodUri. It specifies whether the Access Gateway compares the method and the URI from all HTTP requests against the method and URI listed in this parameter. If a match occurs, the Web Agent does not create or update an SMSESSION cookie

If you also need to avoid updating session durations based on query strings that your web application uses, this is where you would add OverlookSessionForQuery to your agent configuration object to prevent SMSESSION cookie updates.

This is a multi-value property. Administrators can define strings (can be internationalized) which can appear as substrings of the URL’s query. SiteMinder Access Gateway checks the incoming request (URL) with a good (unexpired) session to see if it contains any of the defined strings. The check is a simple substring match – no regular expression is supported. If the check is positive, then the session update is skipped. This ensures that the session’s life doesn’t get prolonged.

As an example, say if you have specified this ACO parameter to have the value “name1=”. And if the incoming request is http://myhost/myurl?name1=value1&name2=value2, Access Gateway finds there is a match since the query has the substring “name1=” and the session update will be skipped.

MaxAuthorizationCacheSize and AuthorizationCacheTimeout 

Prior to 12.8.2, Access Gateway supported the same settings for both authentication and authorization caches. In 12.8.2, we introduced 2 new ACO parameters, which lets you control the size and timeout setting of the authorization cache separately from the authentication cache.

These parameters control the authorization cache, including a time-to-live setting that can supersede the existing realm-based timeout. This benefits by allowing tighter refresh limits on authorization versus authentication or by fully disabling the authorization cache. By default these parameters are disabled, in which case both cache timeout and cache size are identical for authentication and authorization caches.

More details on these ACO parameters can be found in SiteMinder’s online technical documentation.