Symantec Access Management

We have been unsuccessful in having out IDLE timeout page display long enough for the end user to even see that it was rendered. The page is rendered and immediatley another clarity session is created with the user directed to the Home Page.
We have tried several configurations without success.
Our system configuration:
-browser is setup to prompt "Allow Blocked Content" for running scripts and activeX.
-siteminder team has affirmed that policy servers are configured correctly.
-clarity system Option: Minutes of Inactivity Until Logout has been set to both 1 minute before AND the same value as the siteminder IDLE timeout .
Test configuration:
-restarted apache each time the ideltimeoutURL was changed
-viewed the webagentTracelog.txt and webagentlog.txt to assure changes took place and SmSessionids were created.
-Had an active Fiddler session open to observe and capture traffic header and cookie data.
Options that we used for the idletimeoutURL
-http://clarity-sso.odc.vzwcorp.com/niku/timeout/maxIdle.html
-http://www.google.com
-https://href.li/?http://clarity-sso.odc.vzwcorp.com/niku/timeout/maxIdle.html
-https://href.li/?http://www.google.com
Note: https://href.li/? was used to flush the Referrer in the page header.
In all cases, Fiddler recorded that the idletimeoutURL was rendered after the timeout AND was not visible most of the time to the enduser AND clarity was rendered under a new SmSession and sessionid.

Does anyone know what we are missing in our configuration to have the idletimeoutURL sit idle until the user clicks on the hyperlink to restart clarity in a new session?
Thanks

Message was edited by: Nick Darlington Marking for the CA Single Sign-On category and communities.  Thanks.

1 minute timeout is bit small for a application like CA PPM, as you might have some job running at the background which also uses a session and can go more than a minute. So even though there is no user activity the possibility of job remains. To check the timeout probably you can tun off the job scheduler/Process Engine (BG) across the cluster and make sure no jobs/processes are running.

Then you can set CA PPM time out to 1 minute and probably 1.5 minutes at SSO level and see if CA PPM is redirected to home page set after 1.5 minutes.

Thanks

Suman Pramanik

Hi Suman,

thanks for replying.

The 1 minute I refer to is 1 minute BEFORE the SSO idle timeout, which is actually 30 minutes.

Also, I believe the bg services do not rely on a SSO connection. The SSO timeout for each client clarity connection is monitored with a client cookie, SmSession. When the cookie expires, viewing via fiddler, siteminder takes the client to the idletimeoutURL.

But our issue is that a new session and a new SmSession cookie is created and user i !s sent back to clarity, immediately.

This prevents the intended use of the URL to warn the client the session is ended and give a URL to start a new one.

Thanks again,

Mike Rog

I suspect the question is more of a Siteminder one and how it is handling the content of the request in the redirect to the 'idletimeoutURL' that is setup.  Have you already posted this question in another community or would it help to have this one relocated where the SM crowd can see it?

Nick,

I would be happy to have the other communities see it.

Can you distribute as you deem helpful? Or is that something I should do?

Thanks, Mike

I was going to request it from our community managers, and I believe that posting it to this one would be most relevant (CA Single Sign-On subcommunity of CA Security):

CA Security

It appears I can probably move it there myself though, if you wish I will go ahead and do it?  I believe it would no longer appear within the CA PPM community space if I do though.

Thanks Nick,

As long as I can follow it and it is going for the best results.

Please forward to the CA SSO subcommunity.

Mike

This thread is now in the CA Security Community (where CA Single Sign-On discussions reside).

Thanks Kristen,

I'll keep an eye out for the answer.

Mike

Hello,

following URL is PPM r13 integration with siteminder and does have a point on idle time outs and states SSO realm and PPM time outs should be set to the same value:

ttp://support.ca.com/phpdocs/0/common/greenbooks/CA_Clarity_PPM_v13_Integrating_with_CA_SiteMinder_ENU.pdf

if this is not enought to achieve your business requirements, I would advise you should engage your local CA professional services team to see how best you can configure PPM and SSO to match your needs.

Regards