Symantec Access Management

Working on the Access Gateway web services (AuthN/Az) and having issues with the logout. When i invoke the rest login service and access the protected resource, i received token successfully. After that, i invoke the rest logout service and tried again to hit the protected resource. Instead of getting a 401 error like i would expect, I was able to pass through and access the resource.

Digging further into product doc, it turns out that logout service will not invalidate the token. 

https://docops.ca.com/ca-single-sign-on/12-7/en/configuring/ca-access-gateway-configuration/configuring-the-authentication-and-authorization-web-services

Are there additional configurations that need to be done to make sure the session token is invalidated after passing it to the logout service?

To invalidate the session token after logout you will need to implement session store and ensure that the session is persistent.

Also, have shorter session validation period to ensure that the agent sends the request to policy server for validation.

To add to the answer that Ujwol added,

Firstly yes the REST api logout call is more related to session store usage, where it will delete the entry from the session store.  In the webagent (non REST call mode) the main purpose of the logout call, in addition the the session store use,  is to delete the SMSESSION cookie. 

But the SMSESSION cookie does have it's own expire idle timeout built into it, the webagent when it receives a request decrypts and decodes the SMSESSION and checks if the idle timeout has expired before processing the request.

So after the logout call, the SMSESSION cookie is only valid for that moderately short idle timeout period and will then expire. 

Cheers - Mark

BTW: Even with session store usage, it takes some time for the deleted session to be flushed to all policy servers and webagents, - so there too there is a small period of time (smaller than idle timeout, but still small period time) when it will be accepted (ACO settings can adjust that time, and setting Az cache to 0 will mean agent checks the policy server each  time) . 

Complementing Mark.ODonohue answer,

If you're using a front-end app to consume the webservices from Access Gateway, what we usually recommend is to also delete the SMSESSION cookie from client's browser when calling the logout webservice.

Deployed the fix provided by CA Support and that fixed the webservices logout issue. The fix contains 2 files: libSPS60Agent.so and libSPSPlugin.so

I hope this fix will make it in the next release of access gateway.

Makesh 

Could you reconfirm was the fix provided for logout work with or without Session Store?

It works with Session Store and a combination of short idle/max timeout period.

Thank You Makesh.

Hi Makesh, Can you share the rally ticket number ? I would like to verify what the issue was and what has been done to fix it ?

I just emailed you the ticket number.