Symantec Access Management

 View Only
  • 1.  Different Time out basis of a user

    Posted Sep 27, 2018 03:48 AM

    Hi All,


    I have a unique requirement to set a different timeouts for a same resourse on the basis of a particular user attribute like desgination.


    For eg, if a dsegination=Manager then timeout has be 30 mins, if Designation=SE then timeout has to be 20 mins etc.


    I need help of the community to achieve this requirement. 




  • 2.  Re: Different Time out basis of a user

    Posted Sep 28, 2018 10:37 AM

    Ashutosh ashutosh.singh


    Option-1 : 


    Have EnforceRealmTimeout=YES in ACO.


    Have 3 realms created

    realm-landing-page : /landing*  :

    RealmTimeOut [Idle 20 mins / Max 2 hours]. 


    realm-manager : /mgr*    :

    RealmTimeOut [Idle 30 mins / Max 4 hours].

    GET_POST_PUT_Rule_mgr & OnAuthAccept_Rule_mgr.

    realm-se : /se*    :

    RealmTimeoOut [Idle 20 mins / Max 2 hours]. 

    GET_POST_PUT_Rule_se & OnAuthAccept_Rule_se.


    Have 2 Responses Created

    Response-landing :


    Response-mgr :



    Response-se : 




    Have 3 Policies Created

    landing_policy : All Users : 

    GET_POST_PUT_Rule_landing >> map response >> HTTP_DESIGNATION.

    mgr_policy : (Select 'Search Users' and specify 'Designation=mgr') : 


    OnAuthAccept_Rule_mgr >> map response >> Response-mgr.

    se_policy : (Select 'Search Users' and specify 'Designation=se') : 


    OnAuthAccept_Rule_se >> map response >> Response-se.



    User will always access /landing page. User is unaware about /mgr and /se URLs. Once the user arrives in /landing based on the value of HTTP_DESIGNATION Header redirect the user to /mgr/landing page OR /se/landing page. That way /mgr* OR /se* realm is triggered, thus the session timeout is updated based on /mgr* OR /se* responses.  We can always play with Proxy Rules /mgr/landing OR /se/landing should serve same content from the same app server.



    Option-2 : 


    Just inform managers to access /mgr/landing and engineers to access /se/landing. This way we can cut down on one realm. If manager accesses /se/landing you can fire on AzReject-Rule/RedirectResponse and redirect them to a centralized AzReject Information page. If engineer accesses /mgr/landing you can fire on AzReject-Rule/RedirectResponse and redirect them to a centralized AzReject Information page which tells who needs to access what page.



    Option-3 : 


    Multiple DNS but same URI / backend. E.g. and

    We can use AgentName parameter in ACO to map each FQDN to a different AgentObject. Then each AgentObject maps to a different realm (protected /landing*).



    AgentName : 


    realm_mgr : /landing*


    RealmTimeOut [Idle 30 mins / Max 4 hours]




    Response-mgr : Maps to OnAuthAccept_Rule_mgr.



    AgentName : 


    realm_se : /landing*


    RealmTimeOut [Idle 20 mins / Max 2 hours]




    Response-se : Maps to OnAuthAccept_Rule_se.







  • 3.  Re: Different Time out basis of a user

    Posted Sep 28, 2018 10:41 AM

    Yes this is easily supported out of the box.


    You would need to responses for the timeout values you need using:



    Then create realms that match the resource you want the different timeouts to trigger against.

    Finally, you need an onauthaccept rule for each set of timeouts. Simply then create a policy binding to the specific ldap query designation=manager for example, and associate the appropriate responses.

    Enforce Timeouts across Multiple Realms - CA Single Sign-On - 12.8 - CA Technologies Documentation 

  • 4.  Re: Different Time out basis of a user

    Posted Sep 28, 2018 11:05 AM

    Thanks Jason for your response. I hope you are doing fine.


    So for this solution to work, we have to create separate realms. How we can manage the content behind 2 different resources. We need them to be same and all the user type has to access same resource.


    Best Regards


    Ashutosh Singh

  • 5.  Re: Different Time out basis of a user

    Posted Sep 28, 2018 11:24 AM

    As an example


    mod_proxy - Apache HTTP Server Version 2.5 


    <Location "/mgr/landing/">   
    ProxyPass ""

    <Location "/se/landing/">   
    ProxyPass ""

  • 6.  Re: Different Time out basis of a user
    Best Answer

    Posted Sep 28, 2018 12:04 PM

    I have suggested you 3 different options, there can be more. But it all depends on a detailed discussion on how you would like this driven and how we evaluate your business needs / strategies would be for future. Accordingly we'd recommend a best path forward. You are most welcome to take these options as starters and evaluate them against your business needs.


    For any further detailed design discussion / evaluations, please engage CA Services.