Symantec Access Management

Hi,

With CA Single Sing-On we manage sessions from different applications.

For each realm the configuration is:

• idle timeout =1 hour
• maximum timeout = 12 hours.

I have this issue:

• The customer complains that the session expires earlier than expected
• As evidence the SMSESSION cookie is set to LOGGEDOFF

I'd like to track user activity in order to be sure that the problem is the idle timeout, do you know if there is an easy way to do so?
I've found this article but maybe is too heavy for the system https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-52-sp1/configuring/web-agent-configuration/user-protection-and-tracking/user-identity-and-activity-tracking-and-url-monitoring.html

Thank you,

Marta

The only time that Siteminder Will set the session to LOGGEDOFF is either it is Idle , Expired or someone loggedoff the application.
First you need to understand from the user reporting the issue the actions being performed , what applications , is he idling the system , is he accessing multiple applications ? is he logging off from one application ... so you need to understand from them what is their scenario when they see the issue.

Couple of suggestions :

- User tracking enabled with UseSessionForAnonymous set to yes can help if you have anonymous Protected Realms . The agent will be forced to validate the SMSESSION and generate a new Cookie which will reset the Idle

- Check if you have the http only cookie flag selected , if that is the case , depends on what kind of application is being used , the SMSESISON may not be submitted with Requests (and if user accessing non protected resources) 

- You need to track the user by Session ID , The session ID will remain the same as long as it is valid . Collect the Agent trace and access log from policy server to determine the Session ID of the user and you can track any subsequent request of the user by looking up the session and see what is happening .

- Also check if the User is accessing Various applications in Different time zone as that can lead to such behavior .


Regards 
Joe 



Original Message:
Sent: 10-08-2019 09:20 AM
From: marta benedetti
Subject: CA Single Sign-ON

Hi,

With CA Single Sing-On we manage sessions from different applications.

For each realm the configuration is:

• idle timeout =1 hour
• maximum timeout = 12 hours.

I have this issue:

• The customer complains that the session expires earlier than expected
• As evidence the SMSESSION cookie is set to LOGGEDOFF

I'd like to track user activity in order to be sure that the problem is the idle timeout, do you know if there is an easy way to do so?
I've found this article but maybe is too heavy for the system https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-52-sp1/configuring/web-agent-configuration/user-protection-and-tracking/user-identity-and-activity-tracking-and-url-monitoring.html

Thank you,

Marta