Symantec Access Management

  • Private Community
 View Only

  • 1.  Smart Timeout

    Posted Feb 08, 2016 12:11 PM

    We have few apps on the same virtual host, for ex: http:/host/appA http:/host/appB http:/host/appC  etc... Policies have been created by the context root and everything works as expetced. However, we have trouble when it comes to certain ACO settings such as IdleTimeoutURL MaxTimeOutURL because they are set for all apps at agent level. Right now, my MaxTimeOutURL is a common page and all users goto the same page, irrespective of the app they are logged in. However, ideally, we would like them to be redirected to same app login page which caused the max time out.  I have tried to capturer the referrer using java script., but 30% of the time the referrer is blank sending the user to never ending loop. So the referrer generated by brower is not reliable and consistent. I have created cookie for each policy domain with the name of the app, so my maxtimeoutURL can use the cookie and apply some logic, but unfortunately we use 'HTTPOnly' cookies, making this cookie unavailable for java script. I cant use headers as there are multiple redirects involved. Is there another way I can send app identifying info.(for ex: SM_DOMAIN NAme, or some static cookie)to a HTML page? can variables help? Is it possible to restrict HTTPOnly to SMSESSION ? Appreciate any suggestions.



  • 2.  Re: Smart Timeout
    Best Answer

    Broadcom Employee
    Posted Feb 09, 2016 01:53 PM

    Not out of the box

     

    Agent name mapping can allow
    different agents within the same ACO based on hostname or port difference,
    however if the host / port are always the same you can’t have different values
    for each app

     

    Possibility include ASP/JSP page
    for the respective APC parameters, then parse a header or referral header
    to determine the app of origin then forward as coded

    IdleTimeoutURL
    MaxTimeOutURL



  • 3.  Re: Smart Timeout

    Posted Feb 09, 2016 04:01 PM

    Thanks, Stepphen. Since my hostname and port are the same, I dont cant use ACO, Thanks for confirming that.

     

    JSP and APC parameters sound more promising. Can you please shed more light on how to do this?  Who is creating the header/referral header?  Is it the applcation itself or SiteMinder through responses?

     

    Reminder ,My challenge here is to make the SiteMinder static  cookie 'app=name of the app' which is httpOnly , to be readable/available for the maxlogoutURL.