Configure Enhanced Session Assurance with DeviceDNA™

Contents
casso127
 
Contents
 
 
 
2
 
 
Enhanced Session Assurance with DeviceDNA™ helps prevent unauthorized users from hijacking legitimate sessions with stolen cookies. The session clients are validated using the unique DeviceDNA™ that the product collects from the system of the user. This validation assures that the client who initiated the session is the same client that is requesting access. Users lacking valid DeviceDNA™ are denied access to protected resources with the following error:
Server Error. The server was unable to process your request.
The following illustration describes how to configure Enhanced Session Assurance with DeviceDNA™:
enhanced session assurance configuration
enhanced session assurance configuration
Review Feature Limitations
Enhanced Session Assurance with DeviceDNA™ does 
not 
support the following items:
  •  
    Web 2.0 clients
    Web 2.0 applications are built on technologies like AJAX that create web requests, which cannot be re-directed to 
    CA Access Gateway
    . Web 2.0 clients include non-browser-based clients (such as a Flickr client on a mobile device). In both cases, some requests could occur and cannot be re-directed to the 
    CA Access Gateway
     instance that hosts the authentication flow application. So, Enhanced Session Assurance with DeviceDNA™ cannot support for Web 2.0 clients. The login page for Web 2.0 applications can be protected but not all requests (such as those involving AJAX) can be protected by Enhanced Session Assurance with DeviceDNA™.
  •  
    Custom Agents
    Agents that are created with the 
    CA Single Sign-On
     SDK do not support Enhanced Session Assurance with DeviceDNA™.
  •  
    Clients that do not support JavaScript and cookies
    The DeviceDNA™ scripts on 
    CA Access Gateway
     are Javascripts that extract the information specific to the web clients. This client information associates a session with the device or client. Without support for JavaScript, the DeviceDNA™ cannot be collected and thus Enhanced Session Assurance with DeviceDNA™ cannot associate the session with the device or client. Enhanced Session Assurance with DeviceDNA™ is not supported for clients like Telnet or Lynx.
  •  
    Shared Workstations
    Any shared workstation has the same DeviceDNA™ signature for every user. For example, suppose that a user hijacks a valid SMSESSION cookie from another user of the shared workstation. If the hijacker replays the stolen SMSESSION cookie from the 
    same
     shared workstation, the product 
    cannot 
    detect the difference. Enhanced Session Assurance with DeviceDNA™ provides protection when a hijacker attempts to replay the stolen SMSESSION cookie from a 
    different 
    device.
  •  
    Authentication/Authorization web services
    Web service client applications handle the authentication and authorization web services (which push back any redirects or responses they receive from the Agent API calls). However, the calling client 
    cannot 
    handle the redirects that are involved in Enhanced Session Assurance with DeviceDNA™ flow.
  •  
    CA Federation
    The following configuration 
    does not 
    support Enhanced Session Assurance with DeviceDNA™:
    • The SP side of SAML 2.0, SAML 1.1 and WS-Fed
  •  
    ACO parameter
    The following ACO parameter 
    does not 
    support the feature:
    • SSOTrustedZone 
 
Note:
 Session Assurance prevents SMSESSION hijacking and the Impersonation authentication scheme allows replacement of SMSESSION. If both the features are used at the same time, Session Assurance cannot consume the change in the SMSESSION. You must use either Session Assurance or Impersonation authentication scheme as both the features are contradictory.
Configure 
CA Access Gateway
 
Enhanced Session Assurance with DeviceDNA™ requires 
CA Access Gateway
 to operate.
Follow these steps to set up 
CA Access Gateway
:
  1. Install 
    CA Access Gateway
    .
  2. Configure 
    CA Access Gateway
     to use SSL connections.
  3. For single sign-on environments using multiple cookie domains, obtain the fully qualified domain name (FQDN) of the cookie provider domain. Specify this name for the 
    ServerName
     setting when you run the configuration wizard. For example, if your cookie domain is sso.example.com, then set the value of the ServerName to sso.example.com in the 
    CA Access Gateway
     configuration wizard.
  4. Ensure that the 
    SACExt 
    Agent configuration parameter is enabled and contains a three-letter extension. By default, the extension value is 
    .sac.
     
  5. Ensure that the 
    IgnoreExt
     configuration parameter contains the value given for 
    SACExt.
     
    Note:
     Users can replace the 
    .sac
     extension with any three-letter extension in this procedure.
Configure your 
CA Single Sign-On
 
Enhanced Session Assurance with DeviceDNA™ requires you to install or upgrade your Policy Server to at least 12.6 in your CA Single Sign-On environment. Install your Policy Server and 
CA Access Gateway
 on separate computers.
Create Enhanced Session Assurance with DeviceDNA™ End-points
Enhanced Session Assurance with DeviceDNA™ redirects users to the Session Assurance application end points hosted on the 
CA Access Gateway
 to collect DeviceDNA™ information. This DeviceDNA™ information validates their sessions.
For performance reasons, we recommend creating one end point for each geographic area in your organization. For example, if you have offices in New York and Chicago, create an end point for each office.
Configure these end points in the 
CA Single Sign-On
 user interface before adding Enhanced Session Assurance with DeviceDNA™ to your policies or applications.
 
Follow these steps:
 
  1. From the Administrative UI, click Policies, Global, Session Assurance Endpoints.
  2. Click Create Session Assurance Endpoint.
  3. Enter a descriptive name and an optional description.
  4. Complete the following fields:
    •  
      Web Server Name
       
      Specifies the name of the 
      CA Access Gateway
       server which collects the DeviceDNA™ to authenticate users.
    •  
      Port
       
      Specifies the port number on which the 
      CA Access Gateway
       is listening for redirections. Configure this port for a secure connection (using SSL).
       
      Default: 
      443
    •  
      Target
       
      Specifies the URL of the 
      CA Access Gateway
       to which the users are silently re-directed. This server collects the DeviceDNA™ of the user. The product uses DeviceDNA™ to validate the sessions that are associated with the user.
    •  
      DeviceDNA™ Refresh Interval
       
      Specifies the number of seconds for which the DeviceDNA™that is associated with a user remains valid. Users without valid DeviceDNA™ are re–directed to the Enhanced session assurance end point where the server obtains current DeviceDNA™ for the user.
      The DeviceDNA™ refresh-interval governs the collection of DeviceDNA™. Any request occurring after the expiration of DeviceDNA™ refresh-interval is re-directed to the Authentication Flow application to re-collect the DeviceDNA™.
      The DeviceBinder is a session property that identifies the user that is associated with the session. The DeviceBinder and the client side Device ID have been linked during the authentication process. A unique DeviceHash and an expiration time form this property.
       
      Default
      : 300 seconds (5 minutes)
  5. Click Submit.
Add endpoints to your realms
To protect resources in realms using Enhanced Session Assurance with DeviceDNA™, add one session assurance end point to the realm.
Your sessions do not need to be persistent for Enhanced Session Assurance with DeviceDNA™ to work but ensure that you configured Policy Server Session Store to use Session Assurance.
 
Follow these steps:
 
  1. From the Administrative UI, click Policies, Domain, Realms.
  2. Click the edit icon of the realm that you want.
  3. Under Session, click the Enable check box next to Enhanced Session Assurance.
  4. Click Lookup Endpoint.
  5. Pick the endpoint that you want.
  6. Click OK.
  7. Click Submit.
  8. Repeat Steps 2 through 6 for any other realms with resources that you want to protect with the session assurance feature.
 
Note:
 The old Session Assurance endpoints of 12.5x do not work with this Policy Server version. You must upgrade 
CA Access Gateway
 that is acting as Session Assurance endpoint.
Add end points to your application components
To protect components in applications using Enhanced Session Assurance with DeviceDNA™, add 
one 
enhanced session assurance end point to the component of the associated application.
 
Follow these steps:
 
  1. From the Administrative UI, click Policies, Application, Applications.
    A list of applications appears.
  2. Click the edit icon of the application that you want.
    The Modify Application: dialog appears.
  3. Do 
    one 
    of the following steps:
    • If your application has only one component, click Advanced Settings.
    • If your application has several components, click the edit icon of the component that you want. Click Advanced Settings.
  4. Under Session, select the Enable check box next to Enhanced Session Assurance.
  5. Click Lookup Endpoint.
    A list of end points appears.
  6. Pick the end point that you want.
  7. Click OK.
  8. Click Submit.
    The Modify Application dialog closes and a confirmation message appears.
  9. Repeat Steps 2 through 7 for any other applications with resources that you want to protect with the session assurance feature.
Enable Enhanced Session Assurance with DeviceDNA™ for Federated Partnerships
If you use 
CA Single Sign-On
 Federation, you can also enable Enhanced Session Assurance with DeviceDNA™ on the following partnerships:
  • The IdP side of an SP to IdP partnership (HTTP-Redirect binding only).
  • The Producer side of a Consumer to Producer partnership.
  • The AP side of an RP to AP partnership.
 
Follow these steps:
 
  1. From the Administrative UI, click Federation, Partnership Federation, Partnerships.
  2. Click the Action button to the left of the partnership that you want, and then pick Deactivate.
  3. Click the same Action button again, and then pick Modify.
  4. Click the SSO and SLO tab.
  5. Click the following check box.
    Enhanced Session Assurance
    Protects the resources that are specified in the realm (of the Policy domain model) or the component (of the application model). You can also protect the authentication requests of certain federation partnerships. The session assurance end point collects the DeviceDNA™ from the user and validates the session.
    Value
    : Specify session assurance end points.
    A list of end points appears.
  6. Click the check box of the end point that you want.
  7. Click Save.
  8. Repeat Steps 2 through 7 on any other partnerships that you want.
  9. (For local authentication mode only) enable Enhanced Session Assurance with DeviceDNA™ on the realm that is associated with the authentication URL (redirect.jsp).
Log Files for Troubleshooting
Transactions involving Enhanced Session Assurance with DeviceDNA™ are recorded in the following log files:
  •  
    Policy Server
    • xps-*.audit—Changes to the configuration settings of the feature.
    • smaccesslog4—authentication and authorization activity that is related to the feature. We recommend enabling enhanced auditing for this feature.
  •  
     
    CA Access Gateway
     (Session Assurance Application):
    The log file location and the log level can be set through a 
    log4j.properties
     file in the following location:
    CA\secure-proxy\Tomcat\webapps\sessionassuranceapp\WEB-INF\classes
     
    Default Log Level:
     INFO
    This log setting is independent of the Access Gateway Server log settings.