I have installed CA sdk inside policy server....Now can somebody give me a suggestion how session refresher from SP would help to refresh session in IDP (Siteminder) using the SDK methods?
Here idle time out of IDP is 30 mins whereas SP is 1 hr...so when user navigates to SP and if stays there past 30 mins...then I want SP to initiate a session refresher to IDP which says to extend the session after 25 mins.
What is SP? Is it CA SSO or something else?
What exactly is CA SDK? Or is it SDK from third party SP? Because you don't need to instally any CA sdk in the policy server.
How do you plan to detect the idle time (30 min) expiry on SP?
We are trying this out with Ajax calls....but facing an issue here..
Since we are not passing session information in that calls, the session is getting extended for all the active users of this particular federation...
My question -->
Or is there any other way to achieve this ajax call?
Thanks for the response...Below is answer to your query..
SP is third-party cloud based Service provider.
I have downloaded SDK from CA..It is provided by CA and I have installed it in the policyserver.
SP here is a third-party external system and they will sent a session refresher ping after the decided idle time-out.
In this above scenario, is there anyway where we can overwrite the pre-defined idle time-out at Siteminder (IDP) end?
You can refer to a similar query as here: Session Synchronization between 2 Web applications
Also, CA SDK as you mention is used as a development kit to customize your requirement in case of SiteMinder.
Also, I agree with CBertagnolli, it is better to achieve it on a web level via a keepalive call.
SDK won't help in this case.
What ever you do , eventually what you need to do to extend the session at IDP is refresh the SMSESSION cookie for IDP website. This can't be done unless browser does a GET request on IDP website.
If it was a custom agent , then you could perform agentapi.login() call to refresh session token .
example here : Tech Tip : CA Single Sign-On :SDK:How to validate SSO token
Not speaking on the technical side question...but why would you allow a single Service Provider to extend a broader SSO session at IDP? If you allow their idle timeouts to drive the SSO timeouts, then that SP is essentially forcing, for those users, their access control requirements onto other apps.
For that matter, could you just have them do a CORS request or something to a SiteMinder protected resource using that SM session? Just hit in the background to get it to update the session times - simple little GET to a keepalive.html on your web agent server or something. Then no need for SDK, just simple little HTTP request that could occur completely transparent to the user.
It should all be standard behavior when you make the GET request. So long as you access a protected resource in the same domain as your session token, when the browser sends the HTTP GET the session cookie should go with it. Web Agent will get the cookie, validate it and if successful then the page is displayed with an updated set-cookie response containing the extended session token.
Can you post the name of the sdk binary that you installed in Policy server? Its still unclear.
Is SP going to make an API call to IDP or send a browser redirect to IDP? If it's browser redirect then it should automatically refresh the idle time out at IDP
We are trying to achieve this via ajax calls...CA SDK is not quite helpful here in this scenario.
yes we can do a HTTP GET request call on IDP (Siteminder) website which is under our control...
My query here is -->
The third party SP would be able to make ajax calls to IDP...The main problem is passing session information in this case
Could you please throw some more insights on this?
The third-party SP wants to make an API call to Siteminder (IDP)...
May I know what is there any Siteminder API available which will update the session? If yes, what is the method name? What are the parameters to be passed to invoke the session refresh?