Layer7 API Management

API Gateway use of SSO doesn't implement Idle timeout - here is how to implement idle timeout in Gateway Policy 

06-01-2018 04:51 AM

Hi this is a quick one 0 I'll revist it latter - but it's 7PM Friday night and I want to get out of here - but to pass on this for the support case that inspired it - will revisit it Monday and add a bit more depth - Cheers - Mark


API Gateway uses the CA SM SDK (or these days the CA SSO SDK ) - when it tests for SMSESSION it does not test for idle timeout.


Here is how to implement idle timeout using API Gateway policy. 


For API Gateway with SSO here is what we would like to have - when we access a resource with an expired SMSESSION we want to get some error response (here we coded a 401 response) : 



Normal SSO webagents have idle timeout built in, but when going via API Gateway that is not automatic.  It does test for max session time, but it does not test for idle time expire and you need code it explicitly.


For policy, included at the end, we set an expiry time (600sec or 5min here) :  


With out login component, it is either via existing SMSESSION, or requires UN/PW as HTTP Basic credentials: 



We then do a few calculations, where we calculate the $deltatime which is time difference from the last time the smsession was updated and the "currenttime" as per the policy server : 



After calculating the timedelta, we then do a test to see if that has exceeded the $idletimeout.  


And if so we return an template 401 response saying we have exceeded the idle timeout : 



And thats it.


There is more in the attached API Gateway policy, including updating the SMSESSION cookie only every 30sec, but for implmenting Idle timeout in SMSESSION cookies that is what is needed. 


Cheers - Mark

0 Favorited
1 Files
zip file   2K   1 version
Uploaded - 05-29-2019

Tags and Keywords

Related Entries and Links

No Related Resource entered.