Layer7 Access Management

Expand all | Collapse all

EnforceRealmTimeout overwritten

Jump to Best Answer
  • 1.  EnforceRealmTimeout overwritten

    Posted 05-09-2017 04:43 PM

    Hi All,

     

    I am trying to figure out this issue, 

     

    We have 2 applications 

    1) Login : Aco(EnforceRealmTimeout=Yes) Idle Timeout=600 Secs

    2) Federation: Aco(EnforceRealmTimeout=Yes) Idle Timeout=3600 Secs

     

    When I access login application first I see Idle Timeout for both applications as same, same thing happens when accessing the application Vise-versa.

    I tried to Create the reponse too WebAgent-OnAuthAccept-Session-Idle-Timeout=3600 in federation App and attached it to OnAuthAccept response, but Idle Timeout and max timeout are overwritten

    =====================================================

    [Auth][AuthAccept][][policyserver][09/May/2017:16:25:50 -0400][clrrouting][IlSa21lYFZElUKuYCOZEXmWnr7s=][user1][03-1d5a10da-6f5c-4063-bbf3-3e11e3de7479][login-realm][06-2ed3eb37-fc1d-47ed-b8f9-e42520e39658][10.117.36.66][/login/][GET][User Profile][User Profile][ODBC:][idletime=600;maxtime=3600;authlevel=5;][Authenticated][login-Domain][][][][][]

     


    =============================================


    [Auth][ValidateAccept][][policyserver][09/May/2017:16:26:40 -0400][federation-agent][IlSa21lYFZElUKuYCOZEXmWnr7s=][user1][03-1ddffbf0-fba5-49f7-bc50-acfc5e852822][Federation-realm][06-a3e8f6e5-efb0-4900-bad1-34807a0ffb0b][192.168.9.169][/DTAdmin/loginrail/UserSolutionSelector.svc/100003175/104334][GET][User Profile][User Profile][ODBC:][idletime=600;maxtime=3600;authlevel=5;][][Federation Domain][][][][][]

     

    Checking the webagent logs shows Enforcing the realm Timeout federation app shows:

     

     

    [05/09/2017][16:26:39][1596][4204][2ea387fd-53442afc-54567d5f-18c49151-9cbf62a4-98][CSmCredentialManager::GatherCredentials][Found session, no credentials required.]
    [05/09/2017][16:26:39][1596][4204][2ea387fd-53442afc-54567d5f-18c49151-9cbf62a4-98][AuthenticateUser][Validating session 'IlSa21lYFZElUKuYCOZEXmWnr7s=' for user 'user1' in zone 'SM'.]
    [05/09/2017][16:26:40][1596][4204][2ea387fd-53442afc-54567d5f-18c49151-9cbf62a4-98][AuthenticateUser][Enforcing realm timeouts.]
    [05/09/2017][16:26:40][1596][4204][2ea387fd-53442afc-54567d5f-18c49151-9cbf62a4-98][AuthenticateUser][User 'user1' is authenticated by Policy Server.]
    [05/09/2017][16:26:40][1596][4204][2ea387fd-53442afc-54567d5f-18c49151-9cbf62a4-98][ProcessResponses][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

     

    Any suggestions please, why this could be happening and what I am missing here. Goal here is to have separate timeout for both Login and federation apps after SSO.

     

    Thank you in advance.



  • 2.  Re: EnforceRealmTimeout overwritten
    Best Answer

    Posted 05-09-2017 07:31 PM

    Here is what you will need :

     

    1) Login :

    • Set EnforceRealmTimeout=Yes
    • Set Realm Idle Timeout=600 Secs
    • Set Realm Max Time out = 3600 Secs
    • Set WebAgent-OnAuthAccept-Session-Idle-Timeout Response = 600 seconds
    • Set WebAgent-OnAuthAccept-Session-Max-Timeout  Response  = 3600 seconds

     

    2) Federation: 

    • Set EnforceRealmTimeout=Yes
    • Set Realm Idle Timeout=3600 Secs
    • Set Realm Max Time out = 3600 Secs
    • Set WebAgent-OnAuthAccept-Session-Idle-Timeout Response  = 3600seconds
    • Set WebAgent-OnAuthAccept-Session-Max-Timeout Response  = 3600 seconds


  • 3.  Re: EnforceRealmTimeout overwritten

    Posted 05-10-2017 06:02 PM

    Thanks Ujwol, this worked, I was missing to create the OnAuthAttempt in Login. Once I created it worked.

     

    Thank you again.



  • 4.  Re: EnforceRealmTimeout overwritten

    Posted 05-11-2017 01:30 PM

    Ujwol

     

    I have a follow up question here, when application login Timeout happened after 10mins, it killed SMSESSION because of which I got redirected to login page, but Federation Application which is having 60 mins of timeout also got redirected to login page, because SMSESSION was killed, is this an expected behavior?



  • 5.  Re: EnforceRealmTimeout overwritten

    Posted 05-11-2017 04:18 PM

    Yes, if both are using same zone (default SM in your case) there will be only one SMSESSION cookie in the browser, so if it is logged out from one app, it will affect other as well.


    You will need to have different cookie security zones to avoid this from happening.