SiteMinder provides the ability to create response objects that redirect a request under certain conditions. For example, you can create a response that redirects a request to a custom error page after a failed authentication (OnRejectRedirect). By default for cookieless session schemes that rewrite a requested URL (Simple URL Rewriting), the SPS recognizes a user session information after a redirection.
To terminate a user session after a redirection, create a response attribute in SiteMinder for the relevant policy that modifies the value of the SiteMinder SM_REWRITE_URL header. This HTTP header must be set to NO to force a new session after a redirection.
For example, if you have a resource in realmA that is protected by an authentication scheme with a protection level of 5, and a second resource in realmB protected by authentication scheme with a protection level of 10, a user who successfully authenticates in realmA will be challenged for credentials when moving to realmB (due to the higher protection level).
If an OnRejectRedirect response is associated with realmB and the user fails to authenticate when challenged for credentials in realmB, the default behavior of the SPS maintains the user’s original session information even after the user is redirected to a custom error page.
To terminate the user’s session after the redirect and force an entirely fresh session on the next login attempt, you must create a response attribute that sets the SM_REWRITE_URL=NO, and associate the response with the appropriate policy.
Copyright © 2011 CA. All rights reserved. | Email CA Technologies about this topic |