Correctly Configuring Realm Timeouts

Document ID : KB000051079
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

User session timeouts are governed by the realm that the user first logs into. If a user enters a new realm through single sign-on, the timeout values for the new realm are still governed by the session that was established by the initial login at the first realm.

Solution:

Enforce Realm Timeouts

User session timeouts are governed by the realm that the user first logs into. If a user enters a new realm through single sign-on, the timeout values for the new realm are still governed by the session that was established by the initial login at the first realm.

For enforcing realm timeouts at the realm level the following three steps need to be taken:

===================================================================

Set the EnforceRealmTimeouts agent configuration object (ACO) parameter to yes for the agent that is protecting that particular realm.

Set the IdleSessionTimeout for that particular realm at the realm level. This can be done by going to the realm properties for that realm, enabling Idle Timeout and setting the numerical value. This value can be set in hours and minutes.

Create a WebAgent-OnAuthAcceptSession-Idle-Timeout response and set its value in seconds to the desired idle session timeout for that realm. Tie this response with an OnAuthAccept rule under that realm and include the OnAuthAccept rule and WebAgent-OnAuthAcceptSession-Idle-Timeout response in a policy governing that domain.

In the example below the IdleSession has been set to 120 seconds for realm /dummy/

When a user successfully logs into the dummy realm we can see an entry in the smaccess.log showing the idle session timeout for this realm:

smaccess log entries show the idletimeout set to 120
----------------------------------------------------

AuthAccept www2 [08/May/2009:13:56:40 -0500] "192.168.87.129 uid=testuser,ou=People, o=netelectronics.com" 
"www2.neteelectronics.com GET/dummy/hello.html" [idletime=120;maxtime=0;authlevel=5;] [0]
ValidateAccept www2 [08/May/2009:13:56:40 -0500] "192.168.87.129 uid=testuser,ou=People, o=netelectronics.com" 
"www2.neteelectronics.com GET/dummy/hello.html" [idletime=120;maxtime=0;authlevel=5;] [0]
AzAccept www2 [08/May/2009:13:56:40 -0500] "192.168.87.129 uid=testuser,ou=People, o=netelectronics.com" 
"www2.neteelectronics.com GET/dummy/hello.html" [8157a8c0-01f4-4a047256-0c40-010908cc] [0]

After 120 seconds when the user tries to access the same resource again in the same browser window a timeout message is thrown in the webagent trace and the user is redirected to the authentication scheme login page:

[05/08/2009][13:59:11][500][3136][8157a8c0-01f4-4a0472ef-0c40-00cb1dff][CSmHttpPlugin::ProcessSessionCookie]
[SMSESSION cookie has expired and will not be used to authenticate.]           
.       
.  
[05/08/2009][13:59:11][500][3136][8157a8c0-01f4-4a0472ef-0c40-00cb1dff][HandleCredCollectorChallenge]
[Redirecting for credentials 'http://www2.netelectronics.com:8181/siteminderagent/forms
/login.fcc?TYPE=33554433&REALMOID=06-882687cf-0ba0-4d49-a332-8fc2db8b2653&GUID=&SMAUTHREASON=0&METHOD=
GET&SMAGENTNAME=-SM-7HjqXMxdZMsmzmQMvT4yRw7ijviUPAE4TDXi3cSIF4B%2byOLAdO1ByRj6FqLANmAQ&TARGET=
-SM-http%3a%2f%2fwww2%2enetelectronics%2ecom%2fdummy%2fhello%2ehtml'.]  

In the corresponding HTTP headers for this transaction after user gets timed out we can see that the SMSESSION cookie gets set to LOGGEDOFF

GET /siteminderagent/forms/login.fcc?TYPE=33554433&REALMOID=06-882687cf-0ba0-4d49-a332-8fc2db8b2653&GUID=
&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-7HjqXMxdZMsmzmQMvT4yRw7ijviUPAE4TDXi3cSIF4B%2byOLAdO1ByRj6FqLANmAQ&
TARGET=-SM-http%3a%2f%2fwww2%2enetelectronics%2ecom%2fdummy%2fhello%2ehtml HTTP/1.1         
Accept: */*       
Referer: http://www2.netelectronics.com:8181/siteminderagent/forms/login.fcc?TYPE=33554433&REALMOID=
06-882687cf-0ba0-4d49-a332-8fc2db8b2653&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=
-SM-7HjqXMxdZMsmzmQMvT4yRw7ijviUPAE4TDXi3cSIF4B%2byOLAdO1ByRj6FqLANmAQ&TARGET=-SM-http%3a%2f%2fwww2
%2enetelectronics%2ecom%2fdummy%2fhello%2ehtml         
Accept-Language: en-us       
UA-CPU: x86       
Accept-Encoding: gzip, deflate       
If-Modified-Since: Fri, 24 Apr 2009 16:57:33 GMT       
If-None-Match: "3441c6c2fdc4c91:8ad"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727) 
Cookie: SMSESSION=LOGGEDOFF 
Connection: Keep-Alive       
Host: www2.netelectronics.com:8181

Thus, we see that the EnforceRealmTimeouts was correctly enforced at the realm level.