Symantec Access Management

 View Only
Expand all | Collapse all

Session refresh using CA sdk

Jump to Best Answer
  • 1.  Session refresh using CA sdk

    Posted Sep 04, 2017 10:03 AM

    I have installed CA sdk inside policy server....Now can somebody give me a suggestion how session refresher from SP would help to refresh session in IDP (Siteminder) using the SDK methods?

    Here idle time out of IDP is 30 mins whereas SP is 1 when user navigates to SP and if stays there past 30 mins...then I want SP to initiate a session refresher to IDP which says to extend the session after 25 mins.




  • 2.  Re: Session refresh using CA sdk

    Posted Sep 04, 2017 04:52 PM

    What is SP? Is it CA SSO or something else?

    What exactly is CA SDK? Or is it SDK from third party SP? Because you don't need to instally any CA sdk in the policy server.

    How do you plan to detect the idle time (30 min) expiry on SP?

  • 3.  Re: Session refresh using CA sdk

    Posted Sep 05, 2017 05:34 AM

    Hey Ujwol...

    Thanks for the response...Below is answer to your query..


    SP is third-party cloud based Service provider.

    I have downloaded SDK from CA..It is provided by CA and I have installed it in the policyserver.


    SP here is a third-party external system and they will sent a session refresher ping after the decided idle time-out.


    In this above scenario, is there anyway where we can overwrite the pre-defined idle time-out at Siteminder (IDP) end?




  • 4.  Re: Session refresh using CA sdk

    Posted Sep 05, 2017 06:35 AM

    Can you post the name of the sdk binary that you installed in Policy server? Its still unclear.

    Is SP going to make an API call to IDP or send a browser redirect to IDP? If it's browser redirect then it should automatically refresh the idle time out at IDP

  • 5.  Re: Session refresh using CA sdk

    Posted Sep 06, 2017 04:52 AM

    Hello Ujwol,


    The third-party SP wants to make an API call to Siteminder (IDP)...

    May I know what is there any Siteminder API available which will update the session? If yes, what is the method name? What are the parameters to be passed to invoke the session refresh?




  • 6.  Re: Session refresh using CA sdk

    Posted Sep 06, 2017 01:44 PM

    Not speaking on the technical side question...but why would you allow a single Service Provider to extend a broader SSO session at IDP? If you allow their idle timeouts to drive the SSO timeouts, then that SP is essentially forcing, for those users, their access control requirements onto other apps.




    For that matter, could you just have them do a CORS request or something to a SiteMinder protected resource using that SM session? Just hit in the background to get it to update the session times - simple little GET to a keepalive.html on your web agent server or something. Then no need for SDK, just simple little HTTP request that could occur completely transparent to the user.

  • 7.  Re: Session refresh using CA sdk

    Posted Sep 07, 2017 02:20 PM

    Hi Deb,


    You can refer to a similar query as here: Session Synchronization between 2 Web applications 

    Also, CA SDK as you mention is used as a development kit to customize your requirement in case of SiteMinder.

    Also, I agree with CBertagnolli, it is better to achieve it on a web level via a keepalive call.




  • 8.  Re: Session refresh using CA sdk

    Posted Sep 08, 2017 02:44 AM

    Thanks Anurag....

    We are trying to achieve this via ajax calls...CA SDK is not quite helpful here in this scenario.



  • 9.  Re: Session refresh using CA sdk
    Best Answer

    Posted Sep 08, 2017 02:28 AM

    Hi Deb,


    SDK won't help in this case.


    What ever you do , eventually what you need to do to extend the session at IDP is refresh the SMSESSION cookie for IDP website. This can't be done unless browser does a GET request on IDP website.


    If it was a custom agent , then you could perform agentapi.login() call to refresh session token .

    example here : Tech Tip : CA Single Sign-On :SDK:How to validate SSO token 




  • 10.  Re: Session refresh using CA sdk

    Posted Sep 12, 2017 04:26 AM

    Thanks Ujwol...

    yes we can do a HTTP GET request call on IDP (Siteminder) website which is under our control...


    My query here is -->

    The third party SP would be able to make ajax calls to IDP...The main problem is passing session information in this case


    Could you please throw some more insights on this?




  • 11.  Re: Session refresh using CA sdk

    Posted Sep 08, 2017 10:24 AM

    Hello All,


    We are trying this out with Ajax calls....but facing an issue here..


    Since we are not passing session information in that calls, the session is getting extended for all the active users of this particular federation...


    My question -->


    • How to pass the session information from IDP to SP and vice-versa in this scenario? (SMSESSION Cookie)


    Or is there any other way to achieve this ajax call?





  • 12.  Re: Session refresh using CA sdk

    Posted Sep 08, 2017 10:31 AM

    It should all be standard behavior when you make the GET request. So long as you access a protected resource in the same domain as your session token, when the browser sends the HTTP GET the session cookie should go with it. Web Agent will get the cookie, validate it and if successful then the page is displayed with an updated set-cookie response containing the extended session token.

  • 13.  Re: Session refresh using CA sdk

    Posted Sep 12, 2017 04:40 AM
    The browser will send the cookie automatically (based on the cookie domain) you don't need to send it explicitly.