I have a unique requirement to set a different timeouts for a same resourse on the basis of a particular user attribute like desgination.
For eg, if a dsegination=Manager then timeout has be 30 mins, if Designation=SE then timeout has to be 20 mins etc.
I need help of the community to achieve this requirement.
Have EnforceRealmTimeout=YES in ACO.
Have 3 realms created
realm-landing-page : /landing* :
RealmTimeOut [Idle 20 mins / Max 2 hours].
realm-manager : /mgr* :
RealmTimeOut [Idle 30 mins / Max 4 hours].
GET_POST_PUT_Rule_mgr & OnAuthAccept_Rule_mgr.
realm-se : /se* :
RealmTimeoOut [Idle 20 mins / Max 2 hours].
GET_POST_PUT_Rule_se & OnAuthAccept_Rule_se.
Have 2 Responses Created
Have 3 Policies Created
landing_policy : All Users :
GET_POST_PUT_Rule_landing >> map response >> HTTP_DESIGNATION.
mgr_policy : (Select 'Search Users' and specify 'Designation=mgr') :
OnAuthAccept_Rule_mgr >> map response >> Response-mgr.
se_policy : (Select 'Search Users' and specify 'Designation=se') :
OnAuthAccept_Rule_se >> map response >> Response-se.
User will always access /landing page. User is unaware about /mgr and /se URLs. Once the user arrives in /landing based on the value of HTTP_DESIGNATION Header redirect the user to /mgr/landing page OR /se/landing page. That way /mgr* OR /se* realm is triggered, thus the session timeout is updated based on /mgr* OR /se* responses. We can always play with Proxy Rules /mgr/landing OR /se/landing should serve same content from the same app server.
Just inform managers to access /mgr/landing and engineers to access /se/landing. This way we can cut down on one realm. If manager accesses /se/landing you can fire on AzReject-Rule/RedirectResponse and redirect them to a centralized AzReject Information page. If engineer accesses /mgr/landing you can fire on AzReject-Rule/RedirectResponse and redirect them to a centralized AzReject Information page which tells who needs to access what page.
Multiple DNS but same URI / backend. E.g. manager.ca.com/landing and se.ca.com/landing.
We can use AgentName parameter in ACO to map each FQDN to a different AgentObject. Then each AgentObject maps to a different realm (protected /landing*).
realm_mgr : /landing*
RealmTimeOut [Idle 30 mins / Max 4 hours]
Response-mgr : Maps to OnAuthAccept_Rule_mgr.
realm_se : /landing*
RealmTimeOut [Idle 20 mins / Max 2 hours]
Response-se : Maps to OnAuthAccept_Rule_se.
Yes this is easily supported out of the box.
You would need to responses for the timeout values you need using:WebAgent-OnAuthAccept-Session-Max-Timeout
Then create realms that match the resource you want the different timeouts to trigger against.Finally, you need an onauthaccept rule for each set of timeouts. Simply then create a policy binding to the specific ldap query designation=manager for example, and associate the appropriate responses.Enforce Timeouts across Multiple Realms - CA Single Sign-On - 12.8 - CA Technologies Documentation
Thanks Jason for your response. I hope you are doing fine.
So for this solution to work, we have to create separate realms. How we can manage the content behind 2 different resources. We need them to be same and all the user type has to access same resource.
As an example
mod_proxy - Apache HTTP Server Version 2.5
<Location "/mgr/landing/"> ProxyPass "http://backend.example.com/"</Location><Location "/se/landing/"> ProxyPass "http://backend.example.com/"</Location>
I have suggested you 3 different options, there can be more. But it all depends on a detailed discussion on how you would like this driven and how we evaluate your business needs / strategies would be for future. Accordingly we'd recommend a best path forward. You are most welcome to take these options as starters and evaluate them against your business needs.
For any further detailed design discussion / evaluations, please engage CA Services.