SAML Autopost Frequency

Agent for SharePoint Guide › Product Installation and Initial Configuration › Request and Install a Policy Server Token Signing Certificate [3] › SAML Autopost Frequency

SAML Autopost Frequency

The following settings determine the frequency at which a SAML autopost operation occurs in your SiteMinder and SharePoint environments:

Skew time (set in the SharePoint Connection wizard)
Validity duration (set in the SharePoint Connection wizard)
Logon Token Cache Expiration window (set in SharePoint)

If these settings create a short interval, pop-up windows related to the autopost operation appear. If these settings create a longer interval, inactive users remain logged in for longer periods than the security policies of your organization prefer.

The following illustration describes the relationships among components that affect how often the SAML autopost occurs:

The skew time plus the validity interval should equal the LoginCacheExpriationWindow value plus one minute

The following table provides some examples of how changes in the Login Cache Token value on SharePoint change how often the SAML autopost occurs:

SiteMinder				SharePoint	Approximate Time Between SAML Auto Post Operations

Realm Idle Timeout	Realm Max Timeout	Validity Period	Skew Time	Logon Token Cache Expiration Window	Approximate Time Between SAML Auto Post Operations
1 hour	1 hour	4400 seconds (1 hour 13 minutes)	10 seconds	10 minutes	63 minutes
1 hour	1 hour	4400 seconds (1 hour 13 minutes)	10 seconds	5 minutes	68 minutes

When the Logon Token Cache Expriation Window setting in SharePoint is lower, the SAML autopost operation occurs less often. However, inactive users could possibly remain logged in.

Note: For more information about how to disable FedAuth cookies in SharePoint 2010, go to the technet blogs website, and then search for the following phrase:

"Setting the Login Token Expiration Correctly for SharePoint 2010 SAML Claims Users"

Create a SharePoint Connection

The CA SiteMinder® Agent for SharePoint uses a connection wizard to define the connection parameters that are used when CA SiteMinder® communicates with your SharePoint server. The connection wizard does following tasks:

Configures the connection between your CA SiteMinder® Agent for SharePoint and the Policy Server.
Creates a Windows PowerShell script that you modify and run on your SharePoint central administration server to create a trusted identity provider.

Follow these steps:

Perform the following:
- (Windows)
1. Navigate to the following directory:
```
Agent-for-SharePoint_home/sharepoint_connection_wizard
```
2. Right-click the executable and select Run as administrator.
  The SharePoint Connection wizard starts.
- (Unix)
1. Navigate to the following directory:
```
Agent-for-SharePoint_home/sharepoint_connection_wizard
```
2. Enter one of the following commands:
  - Solaris: sh ./ca-spconnect-12.0-sp3-sol.bin
  - Linux: sh ./ca-spconnect-12.0-sp3-rhel30.bin
  The SharePoint Connection wizard starts.
Complete the wizard using the information you gathered.
Click Install.
The Save Complete screen appears and shows location of your PowerShell script. The PowerShell script is created in the following directory:
```
Agent-for-SharePoint_home/sharepoint_connection_wizard/
```
The connection wizard uses the connection name that you specified (in Step 8) as the name of the PowerShell script. For example, if you specify my_sharepoint_connnection for a connection name in the connection wizard, then name of the PowerShell script is my_sharepoint_connection.ps1.
Click Done.
The connection wizard closes.

More information:

SAML Autopost Frequency

Resolve Firewall Issues with the Connection Wizard