Symantec Access Management

 View Only
  • 1.  siteminder session store

    Posted Apr 27, 2018 11:58 AM

    Hi There,

    Am just trying to find the difference between these two tables which are essentially used in session store.SS_Sessionspec5 vs SS_Sessionvar5 . My understanding was that when ever user log-in, his session id and other details are created in the SS_Sessionspec5 table.How about SS_Sessionvar5,what is the significance of this table? Pls advice.



  • 2.  Re: siteminder session store

    Posted Apr 27, 2018 12:07 PM
    ss_sessionspec5ss_sessionvar5
    CREATE TABLE ss_sessionspec5 (
           sessionid            VARCHAR2(64) NOT NULL,
           expirationtime       INTEGER DEFAULT 0 NOT NULL,
           maxidletime          INTEGER DEFAULT 0 NOT NULL,
           lasttouch            INTEGER DEFAULT 0 NOT NULL,
           status               INTEGER DEFAULT 0 NOT NULL,
           sessionblob          VARCHAR2(4000) NOT NULL,
           PRIMARY KEY (sessionid)
    )
           PCTFREE 10
           PCTUSED 10
           STORAGE (
                  INITIAL 100k
                  NEXT 100k
                  MINEXTENTS 1
                  MAXEXTENTS 100
    );
    CREATE TABLE ss_sessionvar5 (
           sessionid            VARCHAR2(64) NOT NULL,
           varname              VARCHAR2(64) NOT NULL,
           varvalue             VARCHAR2(4000) NOT NULL,
           chunkgroupid             VARCHAR2(256),
           datasize             INTEGER DEFAULT 0,
           PRIMARY KEY (sessionid, varname),
        CONSTRAINT fk_sessionid
            FOREIGN  KEY (sessionid)
            REFERENCES  ss_sessionspec5(sessionid) ON DELETE CASCADE
    )
           STORAGE (
                  INITIAL 100k
                  NEXT 100k
                  MINEXTENTS 1
                  MAXEXTENTS 100
    );
    Used to store only the SessionID and characteristics associated with the SessionID

    Used to Store additional variables that may be linked to a single session (which is beyond the Characteristics of a SessionID). E.g. Persist Session Variables in SStore feature. Save information about claims into SStore. Thus you have a primary key which is the SessionID, but can have multiple claims associated with the single SessionID.

     

    e.g. in SAML SP Side to save attributes into SStore from an incoming assertion OR in X509 Certificate AuthSCheme to save additional attributes from the Certificate into SStore. All of which can be read later using Session Response within Policy Domain as long as the original SMSESSION is still valid.

     

     

    https://docops.ca.com/ca-single-sign-on/12-8/en/configuring/policy-server-configuration/authentication-schemes#AuthenticationSchemes-PersistingAuthenticationContextData

     

    https://docops.ca.com/ca-single-sign-on/12-8/en/configuring/partnership-federation/assertion-configuration-at-the-asserting-party/how-to-add-session-attributes-to-an-assertion



  • 3.  Re: siteminder session store

    Posted Apr 27, 2018 02:40 PM

    I have seen the when enabled persistent session the siteminder automatically creates the session id and other data in the table ss_sessionspec5 but i don't see anything got created in ss_sessionvar5? Is this expected,pls advice..



  • 4.  Re: siteminder session store

    Posted Apr 27, 2018 02:45 PM

    Popleys

     

    Yes that is expected.

     

    When Persistent Session is enabled on the REALM (Policy Domain) CA SSO automatically creates the session id and other data in the table ss_sessionspec5. This is OOB behavior that was in existence for years.

     

    We introduced a new feature (a few SSO version ago) called Persist Authentication Variables in Session Store. This feature uses ss_sessionvar5 table. If this feature is not used then we'll not see anything within ss_sessionvar5. You can see Persist Authentication Variables "Checkbox" in the following areas within CA SSO.

    • Custom schemes.
    • SAML authentication schemes.
    • SAML SP --> IDP Partnership.
    • OpenID authentication scheme.
    • X.509 certificate schemes.
    • JWT Authentication Scheme.


  • 5.  Re: siteminder session store

    Posted Apr 27, 2018 03:06 PM

    Would you mind me giving hint how could i reproduce the data in this ss_sessionvar5 through programmatically or configuration setting using admin wam ui.



  • 6.  Re: siteminder session store

    Posted Apr 27, 2018 03:26 PM

    I mean, am using just default native form auth scheme and enabled session store as mentioned,but I'm not getting how to populate the data in ss_sessionvar5.Am just doing a POC.



  • 7.  Re: siteminder session store
    Best Answer

    Posted Apr 27, 2018 04:02 PM

    Popleys

     

    When Persistent Session is enabled on the REALM (Policy Domain) CA SSO automatically creates the session id and other data in the table ss_sessionspec5. This is OOB behavior that was in existence for years.

     

    We introduced a new feature (a few SSO version ago) called Persist Authentication Variables in Session Store. This feature uses ss_sessionvar5 table. If this feature is not used then we'll not see anything within ss_sessionvar5. You can see Persist Authentication Variables "Checkbox" in the following areas within CA SSO.

    • Custom schemes.
    • SAML authentication schemes.
    • SAML SP --> IDP Partnership.
    • OpenID authentication scheme.
    • X.509 certificate schemes.
    • JWT Authentication Scheme.

     

    Here is an example from X509 Authentication Scheme. What this would do is, whenever X509 auth for a user (SessionID is generated) succeeds, it would pick additional info from Certificate (as Certificate is lost after auth is complete) and save that info into multiple variables (IssuerDN, IssuedTo etc etc) in the Session Store. This is the info within ss_sessionvar5