We have a web application (1st application) available on internet, which is hosted on-premise.We have a 2nd web application which is hosted on cloud and not on-premise.There is a possibility of navigating to that 2nd web application from that 1st application via SSO (Federated SSO).Now, we have an idle-timeout set for 1st application as 30 min.But if the user is active in the 2nd application, the idle-timeout in the 1st application should not time-out and the user's session should be active there as long as the user's session is active on the 2nd application.Please suggest how to achieve this.
Note: The only mode of communication between the 2 apps is SAML which takes place during SSO.
Maybe the following will be of help
According to this document, the timeout is configured in the IdP realm for the authentication URL.SP sets session timeouts based on the realm timeout that corresponds to the configured SAML authentication scheme that protects the target resource
User session timeouts are governed by the realm that the user first logs into. If a user enters a new realm through single sign-on, the time-out values for the new realm are still governed by the session that was established by the initial login at the first realm. If you have different time-out values for different realms, and you want to have each realm use its own time-out values, you can override the time-outs of the original realm.
To override the time-outs of the original realm, configure your Web Agent and realms as described in the following process:
Set the value of the EnforceRealmTimeouts parameter to yes.
Use the Policy Server User Interface to do the following tasks:
For each realm where you want to supersede the original time-outs (any realm that SSO functionality allows the user to access), do the following:
To override the Maximum Timeout value,
Create Authentication event RULE with action OnAuthAccept
Create response of type WebAgent-OnAuthAccept-Session-Max-Timeout, and set to the desired value in seconds.
In the Policy add the Authentication event RULE then set the set the new responses to that rule
To override the Idle Timeout value, follow the same steps changing only the responses type to WebAgent-OnAuthAccept-Session-Idle-Timeout response attribute.
IMPORTANT: For proper SESSION management and to avoid unexpected timeouts when session override is used it is required to configure the EnforceRealmTimeouts=yes and the RULES an RESPONSES in all agents and realms.
So required have EnforceRealmTimeouts set to YES and the RULE/REPONSES configured in the parent realm as well as the child realm. The result will be if the client accesses the parent realm after visiting the child realm the override will follow the client to the parent realm.
MyTechReference » CA Siteminder Session timeout
Hope this is helpful
But in this case, the 2nd Application is a third-party application (Content/Document management application) which is integrated with the 1st Application which is a SiteMinder one.
SiteMinder (as an IDP) here has no control on the third-party application (which is an SP) except that it will issue it a SAML Assertion. After issuing the assertion it can't control how the SP manages that session.
SiteMinder Application : https://www.example.com/siteminder with an idle time-out of 30 min.
Third-party Application : https://www.thirdparty.com/thirdparty where the siteminder has no control.
User navigates from SiteMinder application (/siteminder) to the Third-party application (/thirdparty) via federated SSO and the third-party opens up in a new browser window. User remains active there in the third-party application but is inactive in the SiteMinder application.
Now after 30 min, the SiteMinder application will idle time-out, but that shouldn't happen as per our requirement.
It shouldn't idle time-out and the session should remain active till the user is active in the third-party application.
How to achieve this communication/flow ? Can SiteMinder be leveraged ? Any SiteMinder API's available if a custom code comes into picture ?
I see. Since SP is not in our control, there is no setting we can set on that side (since assertion will not help us set any timeout)
I don't know a way to programmatically achieve this.
The only possibility I can think of might be changing the IdP realm timeouts to large values or no idle timeout. I understand, however, that you have already tried this or it is not valid to you because of security concerns ?
Anyway I'll leave it to someone else's idea if there may be something I've not considered
Thanks Miquel, that's correct, changing real time-outs to large values is not an option here due to the security concerns and business requirements.
Refer this KB - Why can't I change Idle timeout and Maximum timeout under partnership settings for a federation 3rd party product on the SP side
Any other insights, please ?
Any SiteMinder APIs which can be used to achieve it via custom codes ?
For example, if the idle-timeout is 30 min, the third-party application makes a web-service call to SiteMinder on the 25th min with a 'session attribute' as 'alive'. Based on this attribute/information, SiteMinder extends the user session by another 30 min.
Since Siteminder is acting IDP, you have below 2 options.1. disable idle time out on IDP realm configuration2. have a dummy jsp/html under redirectjsp folder that does nothing And Have SP app to hit this url periodically from same browser window (using ajax or something like that)For Ex:<meta http-equiv="refresh" content="30; url=http://www.idp.com/affwebservices/redirectjsp/dummy.html">
In the 2nd option,
Will that Ajax call to the dummy URL also affect the browser's session. I mean, will it be able to maintain the session in the browser so that it doesn't results in idle-timeout.
Yes, using Ajax call to dummy URL will make session active but you need to make sure that the request is going to the Agent. If it is not going to agent and serving from the browser cache then it would not update the session.