Symantec Access Management

 View Only
  • 1.  Session Store in OIDC

    Posted Apr 29, 2020 05:32 PM
    ​All,

    I would like to know the impacts of avoiding session store for OIDC implementations and ways to execute that. CA SSO is using session store to save az_code, access tokens and sessionID even though if I select "non-persistent" against the realm created to protect "/affwebservices/secure/secureredirect".
    It would also be helpful if someone can explain others details CA SSO will be saving in session store while using OIDC applications.


    Thanks
    Vijay


  • 2.  RE: Session Store in OIDC

    Broadcom Employee
    Posted May 12, 2020 02:44 AM
    Hi Vijay

    As you know, SiteMinder OIDC implementation requires session store as a mandatory component. Based on my understanding, it is not supported architecture without session store in SiteMinder.

    If you want to get more detailed mechanism about session store in OIDC implementation, I would recommend you to open a case. Then, Broadcom support team can escalate your question into the engineering team.

    BTW, is there any reason not to use session store? You can use CA Directory as session store. You just need to enable session store in policy server, which implement OIDC.

    Kind regards

    B.K.


  • 3.  RE: Session Store in OIDC

    Posted May 13, 2020 02:02 PM
    Hi BK,

    Thanks for your response. It would be great if you can explain the difference in persistent vs non-persistent against realm to protect /affwebservices/secure/secureredirect?


    Thanks
    Vijay



  • 4.  RE: Session Store in OIDC

    Broadcom Employee
    Posted May 14, 2020 12:57 AM
    Hi Vijay

    When you setup realm as persistent in /affwebservices/secure/secureredirect, it will save OIDC related data into session store. It will be used for OIDC implementation.

    Depending on your OIDC configuration, the data will be different. Here are a few sample.

    Access token


    Auth_detail


    Refresh token


    I hope that it can help you to understand how session store is used for OIDC implementation.

    Kind regards

    B.K.




  • 5.  RE: Session Store in OIDC
    Best Answer

    Broadcom Employee
    Posted May 15, 2020 02:27 AM
    Edited by Christopher Hackett May 15, 2020 03:20 PM
    Hi Vijay

    There is incorrect information in my previous response. Regardless you select persistent realm or not in/affwebservices/secure/secureredirect, OIDC related information are saved when the session store is enabled. 

    When you check the realm as persistent, the web agent places the session ticket in a session store database. It is used for session validation.  One of key benefit for the persistent session is to protect session replay attack. This session ticket data will be deleted when the user log out. When the malicious user does cookie replay attack, it will be rejected because there is no session ticket information in the session store.


    Note: Non–persistent and persistent cookies are NOT related to the SiteMinder session of the user being non–persistent or persistent.

    You can find further detailed information from https://community.broadcom.com/communities/community-home/digestviewer/viewthread?MID=757295.

    Kind regards

    B.K.