Configure Enhanced Session Assurance with DeviceDNA™
Enhanced Session Assurance with DeviceDNA™ helps prevent unauthorized users from hijacking legitimate sessions with stolen cookies. The session clients are validated using the unique DeviceDNA™ that the product collects from the system of the user. This validation assures that the client who initiated the session is the same client that is requesting access. Users lacking valid DeviceDNA™ are denied access to protected resources with the following error:
Server Error. The server was unable to process your request.
The following illustration describes how to configure Enhanced Session Assurance with DeviceDNA™:
Review Feature Limitations
Enhanced Session Assurance with DeviceDNA™ does
notsupport the following items:
- Web 2.0 clientsWeb 2.0 applications are built on technologies like AJAX that create web requests, which cannot be re-directed toCA Access Gateway. Web 2.0 clients include non-browser-based clients (such as a Flickr client on a mobile device). In both cases, some requests could occur and cannot be re-directed to theCA Access Gatewayinstance that hosts the authentication flow application. So, Enhanced Session Assurance with DeviceDNA™ cannot support for Web 2.0 clients. The login page for Web 2.0 applications can be protected but not all requests (such as those involving AJAX) can be protected by Enhanced Session Assurance with DeviceDNA™.
- Custom AgentsAgents that are created with theCA Single Sign-OnSDK do not support Enhanced Session Assurance with DeviceDNA™.
- Shared WorkstationsAny shared workstation has the same DeviceDNA™ signature for every user. For example, suppose that a user hijacks a valid SMSESSION cookie from another user of the shared workstation. If the hijacker replays the stolen SMSESSION cookie from thesameshared workstation, the productcannotdetect the difference. Enhanced Session Assurance with DeviceDNA™ provides protection when a hijacker attempts to replay the stolen SMSESSION cookie from adifferentdevice.
- Authentication/Authorization web servicesWeb service client applications handle the authentication and authorization web services (which push back any redirects or responses they receive from the Agent API calls). However, the calling clientcannothandle the redirects that are involved in Enhanced Session Assurance with DeviceDNA™ flow.
- CA FederationThe following configurationdoes notsupport Enhanced Session Assurance with DeviceDNA™:
- The SP side of SAML 2.0, SAML 1.1 and WS-Fed
- ACO parameterThe following ACO parameterdoes notsupport the feature:
Note:Session Assurance prevents SMSESSION hijacking and the Impersonation authentication scheme allows replacement of SMSESSION. If both the features are used at the same time, Session Assurance cannot consume the change in the SMSESSION. You must use either Session Assurance or Impersonation authentication scheme as both the features are contradictory.
CA Access Gateway
Enhanced Session Assurance with DeviceDNA™ requires
CA Access Gatewayto operate.
Follow these steps to set up
CA Access Gateway:
- InstallCA Access Gateway.
- ConfigureCA Access Gatewayto use SSL connections.
- For single sign-on environments using multiple cookie domains, obtain the fully qualified domain name (FQDN) of the cookie provider domain. Specify this name for theServerNamesetting when you run the configuration wizard. For example, if your cookie domain is sso.example.com, then set the value of the ServerName to sso.example.com in theCA Access Gatewayconfiguration wizard.
- Ensure that theSACExtAgent configuration parameter is enabled and contains a three-letter extension. By default, the extension value is.sac.
- Ensure that theIgnoreExtconfiguration parameter contains the value given forSACExt.Note:Users can replace the.sacextension with any three-letter extension in this procedure.
CA Single Sign-On
Enhanced Session Assurance with DeviceDNA™ requires you to install or upgrade your Policy Server to at least 12.6 in your CA Single Sign-On environment. Install your Policy Server and
CA Access Gatewayon separate computers.
Create Enhanced Session Assurance with DeviceDNA™ End-points
Enhanced Session Assurance with DeviceDNA™ redirects users to the Session Assurance application end points hosted on the
CA Access Gatewayto collect DeviceDNA™ information. This DeviceDNA™ information validates their sessions.
For performance reasons, we recommend creating one end point for each geographic area in your organization. For example, if you have offices in New York and Chicago, create an end point for each office.
Configure these end points in the
CA Single Sign-Onuser interface before adding Enhanced Session Assurance with DeviceDNA™ to your policies or applications.
Follow these steps:
- From the Administrative UI, click Policies, Global, Session Assurance Endpoints.
- Click Create Session Assurance Endpoint.
- Enter a descriptive name and an optional description.
- Complete the following fields:
- Web Server NameSpecifies the name of theCA Access Gatewayserver which collects the DeviceDNA™ to authenticate users.
- PortSpecifies the port number on which theCA Access Gatewayis listening for redirections. Configure this port for a secure connection (using SSL).Default:443
- TargetSpecifies the URL of theCA Access Gatewayto which the users are silently re-directed. This server collects the DeviceDNA™ of the user. The product uses DeviceDNA™ to validate the sessions that are associated with the user.
- DeviceDNA™ Refresh IntervalSpecifies the number of seconds for which the DeviceDNA™that is associated with a user remains valid. Users without valid DeviceDNA™ are re–directed to the Enhanced session assurance end point where the server obtains current DeviceDNA™ for the user.The DeviceDNA™ refresh-interval governs the collection of DeviceDNA™. Any request occurring after the expiration of DeviceDNA™ refresh-interval is re-directed to the Authentication Flow application to re-collect the DeviceDNA™.The DeviceBinder is a session property that identifies the user that is associated with the session. The DeviceBinder and the client side Device ID have been linked during the authentication process. A unique DeviceHash and an expiration time form this property.Default: 300 seconds (5 minutes)
- Click Submit.
Add endpoints to your realms
To protect resources in realms using Enhanced Session Assurance with DeviceDNA™, add one session assurance end point to the realm.
Your sessions do not need to be persistent for Enhanced Session Assurance with DeviceDNA™ to work but ensure that you configured Policy Server Session Store to use Session Assurance.
Follow these steps:
- From the Administrative UI, click Policies, Domain, Realms.
- Click the edit icon of the realm that you want.
- Under Session, click the Enable check box next to Enhanced Session Assurance.
- Click Lookup Endpoint.
- Pick the endpoint that you want.
- Click OK.
- Click Submit.
- Repeat Steps 2 through 6 for any other realms with resources that you want to protect with the session assurance feature.
Note:The old Session Assurance endpoints of 12.5x do not work with this Policy Server version. You must upgrade
CA Access Gatewaythat is acting as Session Assurance endpoint.
Add end points to your application components
To protect components in applications using Enhanced Session Assurance with DeviceDNA™, add
oneenhanced session assurance end point to the component of the associated application.
Follow these steps:
- From the Administrative UI, click Policies, Application, Applications.A list of applications appears.
- Click the edit icon of the application that you want.The Modify Application: dialog appears.
- Dooneof the following steps:
- If your application has only one component, click Advanced Settings.
- If your application has several components, click the edit icon of the component that you want. Click Advanced Settings.
- Under Session, select the Enable check box next to Enhanced Session Assurance.
- Click Lookup Endpoint.A list of end points appears.
- Pick the end point that you want.
- Click OK.
- Click Submit.The Modify Application dialog closes and a confirmation message appears.
- Repeat Steps 2 through 7 for any other applications with resources that you want to protect with the session assurance feature.
Enable Enhanced Session Assurance with DeviceDNA™ for Federated Partnerships
If you use
CA Single Sign-OnFederation, you can also enable Enhanced Session Assurance with DeviceDNA™ on the following partnerships:
- The IdP side of an SP to IdP partnership (HTTP-Redirect binding only).
- The Producer side of a Consumer to Producer partnership.
- The AP side of an RP to AP partnership.
Follow these steps:
- From the Administrative UI, click Federation, Partnership Federation, Partnerships.
- Click the Action button to the left of the partnership that you want, and then pick Deactivate.
- Click the same Action button again, and then pick Modify.
- Click the SSO and SLO tab.
- Click the following check box.Enhanced Session AssuranceProtects the resources that are specified in the realm (of the Policy domain model) or the component (of the application model). You can also protect the authentication requests of certain federation partnerships. The session assurance end point collects the DeviceDNA™ from the user and validates the session.Value: Specify session assurance end points.A list of end points appears.
- Click the check box of the end point that you want.
- Click Save.
- Repeat Steps 2 through 7 on any other partnerships that you want.
- (For local authentication mode only) enable Enhanced Session Assurance with DeviceDNA™ on the realm that is associated with the authentication URL (redirect.jsp).
Log Files for Troubleshooting
Transactions involving Enhanced Session Assurance with DeviceDNA™ are recorded in the following log files:
- Policy Server
- xps-*.audit—Changes to the configuration settings of the feature.
- smaccesslog4—authentication and authorization activity that is related to the feature. We recommend enabling enhanced auditing for this feature.
- CA Access Gateway(Session Assurance Application):The log file location and the log level can be set through alog4j.propertiesfile in the following location:CA\secure-proxy\Tomcat\webapps\sessionassuranceapp\WEB-INF\classesDefault Log Level:INFOThis log setting is independent of the Access Gateway Server log settings.