Layer7 Access Management

Tech Tip : CA Single Sign-On : Web Agent :: SMSESSION : SessionSpec and SessionID

  • 1.  Tech Tip : CA Single Sign-On : Web Agent :: SMSESSION : SessionSpec and SessionID

    Posted 11-11-2016 05:27 AM

    Question:

     

    When a Custom Agent receives an SMSESSION cookie, will the SessionSpec and SessionID change or not by design ?

     

    Answer:

     

    The SessionSpec will change if the Web Agent does not have it in its cache. The SessionID will be kept the same.

     

    Here is the flow of an authentication and authorization process in light of the SessionSpec :

     

         1. The Agent collects the user’s credentials.

     

         2. The Agent sends the Login() request to the
             Policy Server passing the received credentials.
             The Policy Server verifies the credentials and
             creates a Session Spec that represents the newly
             created user session. The encrypted Session Spec
             is sent back to the Agent together with the Session
             ID and other session related parameters (idle
             timeout, expiration timeout, etc.).

     

         3. The Agent embeds the Session ID and the Session
             Spec in an encrypted SMSESSION cookie that is sent
             back to the user’s browser. The Agents also saves
             the Session ID and the Session Spec in its User
             Session Cache.

     

         4. Any time when an authenticated user accesses
             the Web site, the browser submits the SMSESSION
             cookie together with a HTTP request.

     

         5. When the Agent receives the SMSESSION cookie, it
             extracts the Session ID and the Session Spec it
             checks them against the values stored in the User
             Session Cache. If the Agent cache doesn’t contain
             corresponding entry, the Agent uses the Validate()
             call to pass the Session ID and the Session Spec
             to the Policy Server for validation. If the
             validation succeeds, the Policy Server returns the
             updated Session Spec to the Agent. The Session ID
             is not modified in the course of validation.

     

    The SessionSpec gets updated each time the Web Agent needs to validate the Session with the Policy Server and cannot refer to the object in its cache.

     

    KB : TEC1633542