Layer 7 Access Management

Tech Tip – How to automatically redirect user to login page after idletimeout 

05-30-2018 12:33 AM

USE CASE :

The user logs into the application.
He leaves the application IDLE for X minutes ( where X = Idle Time out configured for the Realm)
The user can still continue to see the application even after the idletimeout as long as he doesn’t refresh the page.
The requirement is that , once the idle time out is reached, the application should automatically redirect the user to the login page and log the user out of the current session.

SOLUTION (HIGH LEVEL) :
  • Implement an active response to set an HTTP resposne header “HTTP_IDLE_TIMETOEXPIRE” with the actual idle timeout for the current session. (Note: there is an OOTB header “HTTP_SM_TIMETOEXPIRE ” for max time out but none for idle time out in CA SSO )
  • Create a following meta tag to refresh the page after the idle time out plus an additional 5 seconds :

<META http-equiv=refresh content=”Read value from Idle timeout HTTP header + 5 seconds” >

Once the request reaches web agent, it detects the session is already idled out, so it logs off the current session and redirect to the login page.

INSTRUCTIONS :

  1. Create an Active Response to invoke the attached Active Response class

IdleTimeout_Response 

2. Associate the above ActiveResponse with the “OnAccessAccept” rule.

 OnAccessAccept_Policy

3.  Compile and deploy the attached GetIdleTimeOutActiveResponse class to to directory <PS_Install_directory>siteminder\config\properties. The logic to retrieve the IdleTimeout of the current session is as below :

public String
invoke(ActiveExpressionContext context,
String param)
throws Exception
{
String idleTimeout ;


SessionInfoContext sInfoCtx= new SessionInfoContext(context);
APIContext apiContext = context.getAPIContext();

long toRet = sInfoCtx.getIdleTimeout();
if (toRet != -1)
{
//Logger.logInfo("Session IdleTimeout " + toRet );
logInPSTrace(apiContext, "Session IdleTimeout : " + String.valueOf(toRet));
idleTimeout = String.valueOf(toRet);
}
else
{
logInPSTrace(apiContext, "FAILED to get Session IdleTimeout");
idleTimeout = new String("ERROR");
}
return idleTimeout;
}


 

4. Restart Policy server.

5. For the test, we are using classic ASP script on the client side as below :

<tr>
<td colspan=2>Your session will idleout in :<b> <%= GetAttribute("HTTP_IDLE_TIMETOEXPIRE")%> </b> seconds</td>
</tr>
<%
response.write "<META http-equiv=refresh content=" & GetAttribute("HTTP_IDLE_TIMETOEXPIRE")+5 & ">"
%>      

     

ATTACHEMENT :
  1. Active Response java class : 
  2. sample client script : 

TESTING :

For the test, I have set the realm idletimeout = 60 seconds & max time out = 300 seconds :

  1. Headers
  2. Fiddler : 
fiddler

Statistics
0 Favorited
3 Views
2 Files
0 Shares
0 Downloads
Attachment(s)
zip file
GetIdleTimeOutActiveResponse.zip   1K   1 version
Uploaded - 05-29-2019
zip file
index.zip   853B   1 version
Uploaded - 05-29-2019

Tags and Keywords

Comments

04-03-2019 10:35 PM

one question for this solution. if we send a request to the URL, siteminder take this as a new request, it would reset the idle timeout.

how can we resolve this issue?

03-21-2019 09:43 PM

Hi ujwols Ujwol thanks for the document and detailed explanation, will it be possible for you to share the steps to compile this code. The response is not getting triggered when I am using the steps to compile:

How to run the java custom authentication scheme p - CA Knowledge 

may be something else is going on. I have sourced the jar in JVMOptions.txt file to still its failing.

Related Entries and Links

No Related Resource entered.