Symantec Access Management

  • Private Community
 View Only

  • 1.  Different Time out basis of a user

    Posted Sep 27, 2018 03:48 AM

    Hi All,

     

    I have a unique requirement to set a different timeouts for a same resourse on the basis of a particular user attribute like desgination.

     

    For eg, if a dsegination=Manager then timeout has be 30 mins, if Designation=SE then timeout has to be 20 mins etc.

     

    I need help of the community to achieve this requirement. 

     

    Regards

    Ashutosh



  • 2.  Re: Different Time out basis of a user

    Posted Sep 28, 2018 10:37 AM

    Ashutosh ashutosh.singh

     

    Option-1 : 

     

    Have EnforceRealmTimeout=YES in ACO.

     

    Have 3 realms created

    realm-landing-page : /landing*  :

    RealmTimeOut [Idle 20 mins / Max 2 hours]. 

    GET_POST_PUT_Rule_landing

    realm-manager : /mgr*    :

    RealmTimeOut [Idle 30 mins / Max 4 hours].

    GET_POST_PUT_Rule_mgr & OnAuthAccept_Rule_mgr.

    realm-se : /se*    :

    RealmTimeoOut [Idle 20 mins / Max 2 hours]. 

    GET_POST_PUT_Rule_se & OnAuthAccept_Rule_se.

     

    Have 2 Responses Created

    Response-landing :

    HTTP_DESIGNATION.

    Response-mgr :

    WebAgent-OnAuthAccept-Session-IdleTimeout=1800.

    WebAgent-OnAuthAccept-Session-IdleTimeout=14400.

    Response-se : 

    WebAgent-OnAuthAccept-Session-IdleTimeout=1200.

    WebAgent-OnAuthAccept-Session-IdleTimeout=7200.

     

    Have 3 Policies Created

    landing_policy : All Users : 

    GET_POST_PUT_Rule_landing >> map response >> HTTP_DESIGNATION.

    mgr_policy : (Select 'Search Users' and specify 'Designation=mgr') : 

    GET_POST_PUT_Rule_mgr

    OnAuthAccept_Rule_mgr >> map response >> Response-mgr.

    se_policy : (Select 'Search Users' and specify 'Designation=se') : 

    GET_POST_PUT_Rule_se

    OnAuthAccept_Rule_se >> map response >> Response-se.

     

     

    User will always access /landing page. User is unaware about /mgr and /se URLs. Once the user arrives in /landing based on the value of HTTP_DESIGNATION Header redirect the user to /mgr/landing page OR /se/landing page. That way /mgr* OR /se* realm is triggered, thus the session timeout is updated based on /mgr* OR /se* responses.  We can always play with Proxy Rules /mgr/landing OR /se/landing should serve same content from the same app server.

     

     

    Option-2 : 

     

    Just inform managers to access /mgr/landing and engineers to access /se/landing. This way we can cut down on one realm. If manager accesses /se/landing you can fire on AzReject-Rule/RedirectResponse and redirect them to a centralized AzReject Information page. If engineer accesses /mgr/landing you can fire on AzReject-Rule/RedirectResponse and redirect them to a centralized AzReject Information page which tells who needs to access what page.

     

     

    Option-3 : 

     

    Multiple DNS but same URI / backend. E.g. manager.ca.com/landing and se.ca.com/landing.

    We can use AgentName parameter in ACO to map each FQDN to a different AgentObject. Then each AgentObject maps to a different realm (protected /landing*).

     

    FQDNACO-1RealmRulePolicyResponse
    manager.ca.com

    AgentName : 

    wa_mgr,manager.ca.com

    realm_mgr : /landing*

     

    RealmTimeOut [Idle 30 mins / Max 4 hours]

    GET_POST_PUT_Rule_mgr

    OnAuthAccept_Rule_mgr.

    		mgr_policy

    Response-mgr : Maps to OnAuthAccept_Rule_mgr.

    WebAgent-OnAuthAccept-Session-IdleTimeout=1800.

    WebAgent-OnAuthAccept-Session-IdleTimeout=14400.

    se.ca.com

    AgentName : 

    wa_se,se.ca.com

    realm_se : /landing*

     

    RealmTimeOut [Idle 20 mins / Max 2 hours]

    GET_POST_PUT_Rule_se

    OnAuthAccept_Rule_se.

    		se_policy

    Response-se : Maps to OnAuthAccept_Rule_se.

    WebAgent-OnAuthAccept-Session-IdleTimeout=1200.

    WebAgent-OnAuthAccept-Session-IdleTimeout=7200.

     

     

    Regards

    Hubert



  • 3.  Re: Different Time out basis of a user

    Posted Sep 28, 2018 10:41 AM

    Yes this is easily supported out of the box.

     

    You would need to responses for the timeout values you need using:
    WebAgent-OnAuthAccept-Session-Max-Timeout

    WebAgent-OnAuthAccept-Session-Idle-Timeout

     

    Then create realms that match the resource you want the different timeouts to trigger against.

    Finally, you need an onauthaccept rule for each set of timeouts. Simply then create a policy binding to the specific ldap query designation=manager for example, and associate the appropriate responses.

    Enforce Timeouts across Multiple Realms - CA Single Sign-On - 12.8 - CA Technologies Documentation 



  • 4.  Re: Different Time out basis of a user

    Posted Sep 28, 2018 11:05 AM

    Thanks Jason for your response. I hope you are doing fine.

     

    So for this solution to work, we have to create separate realms. How we can manage the content behind 2 different resources. We need them to be same and all the user type has to access same resource.

     

    Best Regards

     

    Ashutosh Singh



  • 5.  Re: Different Time out basis of a user

    Posted Sep 28, 2018 11:24 AM

    As an example

     

    mod_proxy - Apache HTTP Server Version 2.5 

     

    <Location "/mgr/landing/">   
    ProxyPass "http://backend.example.com/"
    </Location>

    <Location "/se/landing/">   
    ProxyPass "http://backend.example.com/"
    </Location>


  • 6.  Re: Different Time out basis of a user
    Best Answer

    Posted Sep 28, 2018 12:04 PM

    I have suggested you 3 different options, there can be more. But it all depends on a detailed discussion on how you would like this driven and how we evaluate your business needs / strategies would be for future. Accordingly we'd recommend a best path forward. You are most welcome to take these options as starters and evaluate them against your business needs.

     

    For any further detailed design discussion / evaluations, please engage CA Services.