Environment
Novell Access Manager 3.1 Linux Access Gateway
Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 Windows Novell Identity Server
Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 Windows Novell Identity Server
Situation
Access Manager setup with Linux Access Gateway (LAG) protecting back end Web Server resources. Multiple proxy services exist for different back end Web servers. All users authenticate at the Identity (IDP) Server executing the same LAG protected resource assigned contracts. Timeout per protected resource is enabled with a contract timeout set to 60 minutes. Authentication and single sign on to back end Web servers all working fine.
Some users report that while browsing to certain resources, they are redirected to the IDP login page again. This often occurs after the user has been idle for a period of time (close to the 60 minute timeout but short of it), and if the user has switched applications and hence proxy services. Due to the nature of some of the back end applications (AJAX based), users would
- get prompted to authenticate again
- loop with 302 redirects between the LAG and IDP servers (some AJAX clients did not send the LAG session cookie back to the LAG server after a redirect)
- sometimes see 403 errors after reauthenticating (in the case of custom login pages submiting credentials twice with a HTTP POST)
When the user has not been idle for a period of time close to the session timeout, the above symptoms never appear.
Some users report that while browsing to certain resources, they are redirected to the IDP login page again. This often occurs after the user has been idle for a period of time (close to the 60 minute timeout but short of it), and if the user has switched applications and hence proxy services. Due to the nature of some of the back end applications (AJAX based), users would
- get prompted to authenticate again
- loop with 302 redirects between the LAG and IDP servers (some AJAX clients did not send the LAG session cookie back to the LAG server after a redirect)
- sometimes see 403 errors after reauthenticating (in the case of custom login pages submiting credentials twice with a HTTP POST)
When the user has not been idle for a period of time close to the session timeout, the above symptoms never appear.
Resolution
Apply Access Manager 3.1.2 IR3 (3.1.2-345) or greater.
There was an issue with the update status generated by the timeout per protected resource code causing the ESP and IDP session timeouts to be out of sync after the users was idle for more than 2/3rs of the configured session timeou.
There was an issue with the update status generated by the timeout per protected resource code causing the ESP and IDP session timeouts to be out of sync after the users was idle for more than 2/3rs of the configured session timeou.