SMSESSION Validation success even for disabled user

Document ID : KB000099641
Last Modified Date : 13/06/2018
Show Technical Document Details
Question:
Scenario is that we are validating SMSESSION and we have the following queries:

TEST 1: 

1. User logs in and has a valid SMSESSION.
2. User account is locked temporarily in another session i.e. new login
   call and the user is locked/disbaled.
3. Tried using the existing SMSESSION we had captured for success
   scenerio and noticed that the login is permitted i.e. SMSESSION is
   still validated.

Here, the smsession is validated even though the user is locked out in
another session. Does SM policy server check the user status
i.e. sm-disabled-flag while validating the smsession?

TEST 2: 

1. User logs in and has a valid SMSESSION.
2. Change the UD's DSN 
3. Tried using the existing smsession we had captured for success
   scenerio and noticed that the login is permitted i.e. SMSESSION is
   still validated.

Here, still, the smsession is validated even though the UD is using incorrect
DSN. Does the SM disambiguate while the validation session call?


TEST3: 

1. User logs in and has a valid SMSESSION.
2. Change one of the user attributes
3. Tried using the existing smsession we had captured for success
   scenario and noticed that the login is permitted i.e. SMSESSION is
   still validated.

Here, the user attribute change is not reflected. Does PS check for
any user attributes changes while doing validatesession call?

Questions:

1. Does SM policy server check the user status i.e. sm-disabled-flag
   while validating the smsession?

2. Does the SM disambiguate while the validation session call? 

3. Does PS check for any user attributes changes while doing
   validatesession call?
Answer:
1. Yes, but if the webagent cache validates the session, the Policy
   Server will never check it.

2. Yes, again if the web agent caches the session, policy server won't
   check it. Furthermore, the Siteminder policy server has a user
   cache.

3. Yes, if it is not in web agent or policy server user cache.

Note:

You can configure the webagent cache to have a lower lifespan. This will cause the smsession to expire sooner. However, the drawback to this is that there will be more calls made to the policy server which might affect its performance.