Symantec Access Management

Tech Tip : CA Single Sign-On :: Policy Server:How to Configure Enhanced Session Assurance

By Ujwol posted 08-03-2016 09:36 PM



This document will provide step by step guide to configure Enhanced Session Assurance with DeviceDNA™ functionality.


  • CA Access Gateway (formerly CA Secure Proxy Server ) : R12.52SP1 and above
  • Policy Server : R12.52SP1 and above


Policy Server

  • Ensure "CA RiskMinder" ( Advanced Authentication ) service is up and running on the Policy Server.


Check Service Console.

Check <PolicyServer_Install_Directory>\CA\aas\logs\cariskminderstartup.log

The log should say:

"CA RiskMinder Service READY"

  • Ensure that you have installed and configured Session Store.


CA Access Gateway Server (formerly CA Secure Proxy Server)

  • Ensure that you have configured CA Access Gateway server to use SSL (Only front end Apache is sufficient)
  • Ensure that you can telnet from CA Access Gateway server to Policy server on port 7680
  • Ensure that JCE ( Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files ) patch is applied on the JRE used by CA Access Gateway server.
  • Ensure "CA Advanced Authentication Flow Application" ( Advanced Authentication ) service is up and running on the CA Single Sign-On CA Access Gateway Server.

This could be verified by accessing following URL :


You should get a page similar to below. (Ignore the error, as it is just indicating that the required parameter is not being passed)



  • Create Enhanced Session Assurance end points

    From Administrative UI, click Policies-->Global-->Session Assurance Endpoints.

  • Add Session Assurance End Point to your realm

     Note : For Session Assurance to work it is NOT necessary to enable Persistent Session on the realm.

  • Ensure that the ACO used by your CA Access Gateway server has ".sac" extension included in the IgnoreExt ACO parameter

  • Ensure that ACO used by your CA Access Gateway has the SACExt parameter set to ".sac" as below :


Sample working fiddler trace is attached - SessionAssurance_Working.saz


Additional Information:


  • As the FLOW App on the CA Access Gateway is a local app deployed as web app on the Tomcat server, you do not need to configure any proxy rules in the Proxyrules.xml pertaining to the session assurance.
  • How to configure SSL on CA Access Gateway

Configuring SSL for CA SiteMinder® SPS

  • CA Single Sign-On Bookshelf intro on Session Assurance Configuration…

1 comment