Layer7 Access Management

Tech Tip : CA Single Sign-On : Agent for SharePoint doesn't seem to handle Session Assurance ticket

  • 1.  Tech Tip : CA Single Sign-On : Agent for SharePoint doesn't seem to handle Session Assurance ticket

    Posted 11-22-2016 10:59 AM

    Issue:

     

    When I run Agent for SharePoint, the Session Assurance
    feature doesn't work:

     

    I replay a session by copying the SMSESSION cookie from
    Chrome to Firefox Browser, I get authenticated without having
    to login again in SharePoint applications.
     
    Environment:
    Policy Server 12.52SP2 Agent for SharePoint 12.52SP1CR04 SPS 12.52SP1CR05


    Cause:

     

    Device DNA Session Assurance is implemented in
    SPS only at the moment.

     

    As mentionned in the documentation :

     

    The application that drives the DeviceDNA checks is hosted
    on by the CA Access Gateway. This proxy server can perform
    the standard functions, such as web proxy or SAML federation
    functions or it can be a separate stand-alone instance that
    is dedicated to servicing the Enhanced Session Assurance
    transactions. The CA Access Gateway performance is also
    dependent on a number of parameters such as, but not limited
    to, authentication and authorization transactions per second,
    the ratio of authentications to authorizations within the
    environment, the length of user sessions, and the frequency
    of revalidations.

     

    https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/policy-server-configuration/enhanced-session-assurance-with-devicedna

     

    The Agent for SharePoint handles more complex flow involving federation
    and POST requests, and with SPS standalone, the integration of Session Assurance
    with Agent for SharePoint goes out of support.

     

    For your reference, here are some limitation of the Session Assurance :

     

    DeviceDNA doesn't support POST requests :

     

    https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/policy-server-configuration/enhanced-session-assurance-with-devicedna/how-to-configure-enhanced-session-assurance-with-devicedna#HowtoConfigureEnhancedSessionAssurancewithDeviceDNA%E2%84%A2-LimitationsofEnhancedSessionAssurancewithDeviceDNA%E2%84%A2

     

    Agent for SharePoint uses auto POST requests :

     

    https://docops.ca.com/ca-single-sign-on-agent-for-sharepoint/12-52-sp1/en/reference/saml-autopost-frequency

     

    As such, the Agent for SharePoint needs to be enhanced to handle properly Session Assurance.


    Resolution:

     

    To get Session Assurance integrated in Agent for SharePoint, please open an
    Idea on the Security page :

     

    https://communities.ca.com/message/241729406

     

    More, to help you increase session security, you might take a look at the SessionLinker
    feature in the Agent for SharePoint :

     

    https://docops.ca.com/ca-single-sign-on-agent-for-sharepoint/12-52-sp1/en/configuring/use-the-session-linker

     

    KB : TEC1460869