Agent for SharePoint doesn't seem to handle Session Assurance ticket

Document ID : KB000004618
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

When I run Agent for SharePoint, the Session Assurance
feature doesn't work:

I replay a session by copying the SMSESSION cookie from
Chrome to Firefox Browser, I get authenticated without having
to login again in SharePoint applications.
Ā 

Environment:
Policy Server 12.52SP2Agent for SharePoint 12.52SP1CR04SPS 12.52SP1CR05
Cause:

Device DNA Session Assurance is implemented in
SPS only at the moment.

As mentionned in the documentation :

The application that drives the DeviceDNA checks is hosted
on by the CA Access Gateway. This proxy server can perform
the standard functions, such as web proxy or SAML federation
functions or it can be a separate stand-alone instance that
is dedicated to servicing the Enhanced Session Assurance
transactions. The CA Access Gateway performance is also
dependent on a number of parameters such as, but not limited
to, authentication and authorization transactions per second,
the ratio of authentications to authorizations within the
environment, the length of user sessions, and the frequency
of revalidations.

https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/policy-server-configuration/enhanced-session-assurance-with-devicedna

The Agent for SharePoint handles more complex flow involving federation
and POST requests, and with SPS standalone, the integration of Session Assurance
with Agent for SharePoint goes out of support.

For your reference, here are some limitation of the Session Assurance :

DeviceDNA doesn't support POST requests :

https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/policy-server-configuration/enhanced-session-assurance-with-devicedna/how-to-configure-enhanced-session-assurance-with-devicedna#HowtoConfigureEnhancedSessionAssurancewithDeviceDNA%E2%84%A2-LimitationsofEnhancedSessionAssurancewithDeviceDNA%E2%84%A2

Agent for SharePoint uses auto POST requests :

https://docops.ca.com/ca-single-sign-on-agent-for-sharepoint/12-52-sp1/en/reference/saml-autopost-frequency

As such, the Agent for SharePoint needs to be enhanced to handle properly Session Assurance.

Resolution:

To get Session Assurance integrated in Agent for SharePoint, please open an
Idea on the Security page :

https://communities.ca.com/message/241729406

More, to help you increase session security, you might take a look at the SessionLinker
feature in the Agent for SharePoint :

https://docops.ca.com/ca-single-sign-on-agent-for-sharepoint/12-52-sp1/en/configuring/use-the-session-linker