Symantec Access Management

I am a beginner with the product.  Hopefully someone can point me in the right direction.  My goal is get a better understanding of this issue.

We have a web based application that is protected with SiteMinder.  the initial URL (root, //application/) is protected with a persistent session.  We have other URLs within the same application that are also protected, but they are using non-persistent sessions.  (Example: //application/inventory)  SSO is working but we are potentially running into an issue with idle timeout.

The root, protected by the persistent session, is setup for a 15 minute idle timeout.  Went navigating in and out of this realm we can watch the session store update the smsession.  But, when a user is operating in one of the other realms (//application/inventory) it does not update the session store.  If they work past 15 minutes they seem to be getting timed out and kicked out of the application.

Now, this is where is gets a little confusing.  I evaluate the access logs and I am not seeing any events with the code of [42], idle timout, at the end.  So, I don't know if this is actually a SiteMinder issue or the application.  But, I need more knowledge as application people always swear it's a "SiteMinder" issue.  The one thing I can agree on with them is, the persistent session/session store is not updating if they don't return to the "root" of the web application.  If I am not mistaken, since we have SSO setup they will continue to function off the original persistent session.  How do we keep it active?

Do we have to make each realm persistent?  That would make sense to me but, in our old environment it was not configured like this.  (The old servers are shut down and not available to look at.....)

Any help would be greatly appreciated.

Mike

Hi Mike,

Are you using EnforceRealmTimeouts ACO parameter as yes, this might help in enforcing timeout for a given a realm.

Thanks in advance,

Ankush

Thanks for the input, we are actually applying that change today and testing.  Hopefully we will see some results.

Michael Deeley | Project Manager - Consultant

PA Department of Transportation | Bureau of Infrastructure and Operations

1400A North Cameron Street | Harrisburg, PA 17103

Phone: 717.346.5673

www.dot.state.pa.us<http://www.dot.state.pa.us/>

Hi Mike,

I tend to agree with your analysis. Session Store is not notified unless persistent realm is accessed.

What is the value of Idle Time out for the persistent and non persistent realm ?

You said this was working with the same configuration in the old version ..what version were you using before ?

Cheers,

Ujwol

Both realms are setup for 15 minute idle timeout.  Our prior version was 12.0.  Unfortunately, this issue did not get reported until after the servers were decommissioned.

Thanks,

Michael Deeley | Project Manager - Consultant

PA Department of Transportation | Bureau of Infrastructure and Operations

1400A North Cameron Street | Harrisburg, PA 17103

Phone: 717.346.5673

www.dot.state.pa.us<http://www.dot.state.pa.us/>

Some items to be aware of when working with persistent realms vs non-persistent realms

1. Once a user access a resource protected by persistent realm that session will be marked as persistent for the duration of the client session and added to the session store.
2. Validation period (persistent session setting in adv realm) is a time period to check the session making sure it’s still validate (must be less than idle timeout) – minimizes cookie replay attacks.

Idle and Max timeouts of the session are set on the first realm accessed, this can be overridden by following documentation “How to Enforce Timeouts across Multiple Realms”

1. Set the value of the EnforceRealmTimeouts parameter to yes.
2. Use the Administrative UI to do the following tasks:
   1. For each realm where you want to supersede the original time-outs (any realm that SSO functionality allows the user to access), do the following:
      1. To override the Maximum Timeout value, create a response using the WebAgent-OnAuthAccept-Session-Max-Timeout response attribute.
      2. To override the Idle Timeout value, create a response using the WebAgent-OnAuthAccept-Session-Idle-Timeout response attribute.

3. Bind each of the previous responses to an OnAuthAccept rule