Ashutosh ashutosh.singh
Option-1 :
Have EnforceRealmTimeout=YES in ACO.
Have 3 realms created
realm-landing-page : /landing* :
RealmTimeOut [Idle 20 mins / Max 2 hours].
GET_POST_PUT_Rule_landing
realm-manager : /mgr* :
RealmTimeOut [Idle 30 mins / Max 4 hours].
GET_POST_PUT_Rule_mgr & OnAuthAccept_Rule_mgr.
realm-se : /se* :
RealmTimeoOut [Idle 20 mins / Max 2 hours].
GET_POST_PUT_Rule_se & OnAuthAccept_Rule_se.
Have 2 Responses Created
Response-landing :
HTTP_DESIGNATION.
Response-mgr :
WebAgent-OnAuthAccept-Session-IdleTimeout=1800.
WebAgent-OnAuthAccept-Session-IdleTimeout=14400.
Response-se :
WebAgent-OnAuthAccept-Session-IdleTimeout=1200.
WebAgent-OnAuthAccept-Session-IdleTimeout=7200.
Have 3 Policies Created
landing_policy : All Users :
GET_POST_PUT_Rule_landing >> map response >> HTTP_DESIGNATION.
mgr_policy : (Select 'Search Users' and specify 'Designation=mgr') :
GET_POST_PUT_Rule_mgr
OnAuthAccept_Rule_mgr >> map response >> Response-mgr.
se_policy : (Select 'Search Users' and specify 'Designation=se') :
GET_POST_PUT_Rule_se
OnAuthAccept_Rule_se >> map response >> Response-se.
User will always access /landing page. User is unaware about /mgr and /se URLs. Once the user arrives in /landing based on the value of HTTP_DESIGNATION Header redirect the user to /mgr/landing page OR /se/landing page. That way /mgr* OR /se* realm is triggered, thus the session timeout is updated based on /mgr* OR /se* responses. We can always play with Proxy Rules /mgr/landing OR /se/landing should serve same content from the same app server.
Option-2 :
Just inform managers to access /mgr/landing and engineers to access /se/landing. This way we can cut down on one realm. If manager accesses /se/landing you can fire on AzReject-Rule/RedirectResponse and redirect them to a centralized AzReject Information page. If engineer accesses /mgr/landing you can fire on AzReject-Rule/RedirectResponse and redirect them to a centralized AzReject Information page which tells who needs to access what page.
Option-3 :
Multiple DNS but same URI / backend. E.g. manager.ca.com/landing and se.ca.com/landing.
We can use AgentName parameter in ACO to map each FQDN to a different AgentObject. Then each AgentObject maps to a different realm (protected /landing*).
FQDN | ACO-1 | Realm | Rule | Policy | Response |
---|
manager.ca.com | AgentName : wa_mgr,manager.ca.com | realm_mgr : /landing* RealmTimeOut [Idle 30 mins / Max 4 hours] | GET_POST_PUT_Rule_mgr OnAuthAccept_Rule_mgr. | mgr_policy | Response-mgr : Maps to OnAuthAccept_Rule_mgr. WebAgent-OnAuthAccept-Session-IdleTimeout=1800. WebAgent-OnAuthAccept-Session-IdleTimeout=14400. |
se.ca.com | AgentName : wa_se,se.ca.com | realm_se : /landing* RealmTimeOut [Idle 20 mins / Max 2 hours] | GET_POST_PUT_Rule_se OnAuthAccept_Rule_se. | se_policy | Response-se : Maps to OnAuthAccept_Rule_se. WebAgent-OnAuthAccept-Session-IdleTimeout=1200. WebAgent-OnAuthAccept-Session-IdleTimeout=7200. |
Regards
Hubert