How the realm idle timeout enforcement is applied to login pages?

Document ID:  TEC1430662
Last Modified Date:  08/11/2017
{{active ? 'Hide' : 'Show'}} Technical Document Details

Products

  • CA Single Sign-On

Releases

  • CA Single Sign-On:Release:12.52 SP1

Components

  • SITEMINDER -POLICY SERVER:SMPLC
  • SITEMINDER -WEB AGENT FOR APACHE:SMAPC
  • SITEMINDER -WEB AGENT FOR IIS:SMIIS
Question:

The below document says default value for EnforceRealmTimeouts is NO

https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/web-agent-configuration/list-of-agent-configuration-parameters

Our Policy Server is : R12.52 SP1 CR06

In our login domain, where the session cookie is getting generated, we have defined the realm with an idle timeout of 1 hour, and an application realm has 2 hours instead. We don't have the EnforceRealmTimeouts parameter specified neither in login domain Web Agent or application Web Agent, however the behavior we see is the idle timeout is being overwritten by the application agent.

Why is this happening?

Environment:
Policy Server R12.52 SP1 CR06 Web Agent R12.52 SP1 CR06
Answer:

Even if the login server has (and applied) its own idle timeout, it is the first realm where the user logs in the one which is managing the idle timeout:

https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/web-agent-configuration/session-protection/enforce-timeouts-across-multiple-realms

Actually, the user journey does not start in the login page Web Agent, but in the application Web Agent. When your user goes to the application, they are triggering the login process as they have not an active session, and then they are redirected to the login page (on your login Web Agent), and the session cookie is generated. Hence, when the user has successfully logged is returned back to the application Web Agent which validates the session, and then applies the Idle timeout value for its realm as per the document above.

Please help us improve!

Will this information enable you to resolve your issue?

Please tell us what we can do better.

{{feedbackText.length ? feedbackText.length : '0'}}/255

{{status}}

Not what you were looking for?

Search Again >

Product Information

Support by Product >

Communities

Join a Community >