Symantec Access Management

Tech Tip – How to automatically redirect user to login page after idletimeout 

May 30, 2018 12:33 AM

USE CASE :

The user logs into the application.
He leaves the application IDLE for X minutes ( where X = Idle Time out configured for the Realm)
The user can still continue to see the application even after the idletimeout as long as he doesn’t refresh the page.
The requirement is that , once the idle time out is reached, the application should automatically redirect the user to the login page and log the user out of the current session.

SOLUTION (HIGH LEVEL) :
  • Implement an active response to set an HTTP resposne header “HTTP_IDLE_TIMETOEXPIRE” with the actual idle timeout for the current session. (Note: there is an OOTB header “HTTP_SM_TIMETOEXPIRE ” for max time out but none for idle time out in CA SSO )
  • Create a following meta tag to refresh the page after the idle time out plus an additional 5 seconds :

<META http-equiv=refresh content=”Read value from Idle timeout HTTP header + 5 seconds” >

Once the request reaches web agent, it detects the session is already idled out, so it logs off the current session and redirect to the login page.

INSTRUCTIONS :

  1. Create an Active Response to invoke the attached Active Response class

IdleTimeout_Response 

2. Associate the above ActiveResponse with the “OnAccessAccept” rule.

 OnAccessAccept_Policy

3.  Compile and deploy the attached GetIdleTimeOutActiveResponse class to to directory <PS_Install_directory>siteminder\config\properties. The logic to retrieve the IdleTimeout of the current session is as below :

public String
invoke(ActiveExpressionContext context,
String param)
throws Exception
{
String idleTimeout ;


SessionInfoContext sInfoCtx= new SessionInfoContext(context);
APIContext apiContext = context.getAPIContext();

long toRet = sInfoCtx.getIdleTimeout();
if (toRet != -1)
{
//Logger.logInfo("Session IdleTimeout " + toRet );
logInPSTrace(apiContext, "Session IdleTimeout : " + String.valueOf(toRet));
idleTimeout = String.valueOf(toRet);
}
else
{
logInPSTrace(apiContext, "FAILED to get Session IdleTimeout");
idleTimeout = new String("ERROR");
}
return idleTimeout;
}


 

4. Restart Policy server.

5. For the test, we are using classic ASP script on the client side as below :

<tr>
<td colspan=2>Your session will idleout in :<b> <%= GetAttribute("HTTP_IDLE_TIMETOEXPIRE")%> </b> seconds</td>
</tr>
<%
response.write "<META http-equiv=refresh content=" & GetAttribute("HTTP_IDLE_TIMETOEXPIRE")+5 & ">"
%>      

     

ATTACHEMENT :
  1. Active Response java class : 
  2. sample client script : 

TESTING :

For the test, I have set the realm idletimeout = 60 seconds & max time out = 300 seconds :

  1. Headers
  2. Fiddler : 
fiddler

Statistics
0 Favorited
26 Views
2 Files
0 Shares
0 Downloads
Attachment(s)
zip file
GetIdleTimeOutActiveResponse.zip   1 KB   1 version
Uploaded - May 29, 2019
zip file
index.zip   853 B   1 version
Uploaded - May 29, 2019

Related Entries and Links

No Related Resource entered.