Layer7 Access Management

Tech Tip : CA Single Sign-On : Validation Period Disabled on Persistent Realm Impact

  • 1.  Tech Tip : CA Single Sign-On : Validation Period Disabled on Persistent Realm Impact

    Posted 05-22-2019 06:44 AM

    Question:


    I'd like to know what is the consequence of disabling Validation
    Period on a Realm configured for persistent session ?

     

    Answer:


    According to documentation, if you disable the Validation Period, the
    Web Agent will always try to validate the session from its cache and
    only call Policy Server if the session is not available in its cache.

    On one hand, this should result in less calls to Policy Server and
    Session Store. On the other hand, this might lead to the fact that the
    Web Agent still validate the session, even if the session doesn't
    exist anymore in the Session Store.

     

    Additional Information:


    Realm Dialog Reference

     

    Be aware of the following:

     

    For persistent sessions, the Idle Timeout must be enabled and set
    to a value higher than that specified for the Validation Period.

    Validation Period

     

    If enabled, determines the period that the Agent caches the result
    of a session validation call to the Policy Server. Session
    validation calls perform two functions: informing the Policy
    Server that a user is still active and checking that the user
    session is still valid. Session validation calls inform the Policy
    Server that a user is active and confirm that the user session is
    valid. If disabled, the agent always tries to validate the session
    from its cache and only calls the Policy Server if the session is
    not available in its cache.

     

    To specify the validation period, enter values in the Hours,
    Minutes, and Seconds fields. If you are configuring the system to
    provide a Windows user security context, set this value high, for
    example, 15-30 minutes.

     

    Note: The Validation Period value must be greater than zero.

    Important! The session validation period must be less than the 

    specified Idle Timeout value.

     

    https://docops.ca.com/ca-single-sign-on/12-8/en/using/administrative-ui/realm-dialog-reference

     

    KB : KB000132523