15.0 Setting Up Session Assurance

With the introduction of risk-based authentication mechanisms combined with strong authentication methods, manipulating user credentials to gain unauthorized access has become very difficult. Many web applications use cookies to manage the user sessions. Numerous basic security measures are available to secure the session cookie. However, cookies are susceptible to replay attacks. Session timeouts and IP address validations can minimize the chances of replay attacks. But, chances of misusing a session cookie to gain unauthorized access to an active session still exist.

Session Assurance enables you to prevent session replay attacks by adding an additional layer of security to your sessions. When a session is established, Access Manager creates a unique fingerprint of the device from which the session is established. During the session, at a configurable time interval, Access Manager validates the session to ensure that the fingerprint matches with that of the device it originated from.

Access Manager also generates a new ID for the session at a specified time interval. If the fingerprint or the session ID does not match, Access Manager logs the user out and invalidates the session.

Session Assurance provides three levels of protection as follows:

  • Session Renewal: A new ID for the active session is generated at the specified interval. Even after enabling fingerprinting, if intruders steal the session ID, they cannot hijack the session as the ID keeps changing after the specified time. In a fresh install, this is enabled for both Identity Server and Access Gateway by default. However, it is disabled for both Identity Server and Access Gateway in an upgraded setup.

  • Device Fingerprinting:A fingerprint is created by using the parameters fetched from the user's device such as hardware parameters and screen resolution.

  • Server-side Fingerprinting: A fingerprint is created by using the parameters fetched at the server-side using request parameters such as http headers or IP address.

Access Manager supports the following parameters in Session Assurance validations for Identity Server and Access Gateways sessions:

Table 15-1 Session Assurance Parameters

Parameter

Description

Request Parameters:

Client IP

Fetches the IP address of the client.

Request Header Set

Fetches the user-agent from the request headers of the incoming request.

Device Parameters:

Hardware Parameters

Fetches the following details about the user’s device:

  • Touch support

  • Maximum number of supported touch points

  • CPU architecture (32 or 64-bit processor)

  • Color depth

  • Type (mobile, desktop, or iPad)

Language Set

Fetches language preferences of the user's device.

Screen Resolution

Fetches width and height of the user's browser and screen.

Time Zone Offset

Fetches time zone of the user's device.

Operating System

Fetches name and version of the operating system on the user’s device.

User Agent

Fetches the following details about the browser on the user’s device:

  • Version

  • Name

  • Platform of the browser

  • Number of logical processors cores available to the browser

HTML5 Capabilities (Performance Intensive)

Fetches the information about HTML 5 capabilities that are supported by the browser.

System Fonts (Performance Intensive)

Fetches the information about fonts supported and unsupported by the user's browser.

WebGL Metadata (Performance Intensive)

Fetches information about the GPU (Graphics Processing Unit), the identity of the browser, WebGL properties, and characteristics supported by the browser.

WebGL (Web Graphics Library) is a JavaScript API for rendering interactive 3D computer graphics and 2D graphics within any compatible web browser without using plug-ins.

This section includes the following topics:

For the troubleshooting information, see Troubleshooting Session Assurance.

Enabling Session Assurance at the Cluster Level

Identity Server: By default, in a fresh installation or upgrade, both device fingerprinting-based and server-side fingerprinting-based validations are disabled for all clusters.

Access Gateway: By default, in a fresh installation or upgrade, both device fingerprinting-based and server-side fingerprinting-based validations are disabled for all clusters.

To enable device fingerprinting-based validation for Access Gateway, enable it at the proxy service resource level. See Enabling Session Assurance at the Proxy Service Resource Level.

NOTE:Session Assurance is disabled by default for Identity Server and Access Gateway in an upgraded or newly installed setup. You must upgrade all nodes in the clusters of Identity Server and Access Gateway to the latest version before enabling Advance Session Assurance.

For Access Gateway clusters and proxy services, enable Session Assurance only if needed. See Best Practices for Enabling Session Assurance at the Proxy Service Resource Level.

Perform the following steps to enable Session Assurance at the cluster level:

  1. On the Home page, click Session Assurance.

  2. In Cluster Level Configurations, select Identity Server clusters or Access Gateway clusters for which you want to enable Session Assurance.

Enabling Session Assurance at the Proxy Service Resource Level

For Access Gateway, you can disable or enable device fingerprinting-based validation at the proxy service level at the respective configuration pages or at the Session Assurance page.

Perform anyone of the following procedures to enable Session Assurance at the proxy service level:

At the respective configuration page:

  1. On the Home page, click Access Gateways > Edit > [name of reverse proxy] > [name of proxy service].

  2. Under Cluster Level Configurations, select the Access Gateway clusters for which you want to enable Session Assurance by toggling Access Gateways.

At the Session Assurance page:

  1. On the Home page, click Session Assurance.

  2. Click Proxy Service Settings, select the proxy service for which you want to enable the device fingerprinting-based validation.

Best Practices for Enabling Session Assurance at the Proxy Service Resource Level

Before enabling the Session Assurance for your applications, understand how this works. See Table 15-1, Session Assurance Parameters.

If the application is a single page application or runs with browser plug-ins, consider the following scenarios:

  • As the cookie gets renewed on the browser at the specified interval, ensure that your application picks up the updated cookie and sends it with every request.

  • When you enable server-side fingerprinting, ensure that your application sends the same user-agent header over the entire session.

    For example, assume SharePoint is protected by Access Gateway. When you try to open any application on SharePoint such as an Microsoft Word document, the user agent value changes when the document opens.

    The session validation in such scenarios may fail. However, the session is valid. To prevent this, you can exclude the proxy service associated with SharePoint from the session validation. See Disabling Session Assurance for Access Gateway Proxy Services.

  • Client-side fingerprinting includes many client-side parameters. Ensure that the enabled parameters do not change during the session.

Setting Up Session Validation and Renewal Interval

Access Manager enables you to set the interval for session validation and session ID renewal for Identity Server and Access Gateway. You can specify different values for Identity Server and Access Gateway.

Perform the following steps to set up session validation and renewal interval:

  1. On the Home page, click Session Assurance.

  2. Under Session Validation and Renewal Interval, specify the interval for session validation. Access Manager also generates a new ID for the session after the same interval.

IMPORTANT:Users might not go to Identity Server or Access Gateway Embedded Service Provider (ESP) very regularly. So, in the following scenarios, this interval might not work and the session will be renewed with the next request after the interval:

  • Federated setups: When a user logs into Identity Server, Access Manager generates an assertion to the service provider (SP). After that the SP owns the user session and session assurance renewal will not work till the SP periodically comes back to Identity Server to renew the session assurance.

  • Access Gateway setups: When a user accesses and logs into a protected resource, that user usually does not return to ESP or Identity Server until the session timeout has exceeded or another authentication request comes to Identity Server. For example, if the default contract timeout is set to 60 min, the user may not come back to Identity Server or ESP approximately for 40 min. Even if the session renewal is set to 1 min (default), the user may not come back to Identity Server and renew the session info.

Modifying Parameters Settings

  1. On the Home page, click Session Assurance.

  2. Click Parameters Settings.

  3. Select the parameters for Identity Server and Access Gateway that you want to include in session validations.

    For more information about parameters, see Table 15-1.

Disabling Session Assurance

If any critical issue happens, you can disable Session Assurance for the specific URLs and user-agents. You need to add the URL or user agent to the exclude list of each Identity server cluster and ESP cluster. For both URL and user agent, you can either specify strings or regular expression as input.

NOTE:You can also deselect the cluster to disable Session Assurance. However, disabling Session Assurance at the cluster level disables it for the entire Access Manager setup.

Disabling Session Assurance for Identity Server

  1. On the Home page, click Identity Servers > [cluster name] > Configuration > Properties.

  2. Click the Plus icon and set the following properties:

    Multiple inputs must be separated by comma.

    Property Type

    Property Value

    SESSION ASSURANCE USER AGENT EXCLUDE LIST

    Specify the user-agent string for that you want to disable the session validation.

    For example, you can specify Android to exclude Android devices (version 4.x). Examples of user agent sent by Android devices:

    User-Agent: Mozilla/5.0 (Linux; Android 4.4.3; KFTHWI Build/KTU84M) AppleWebKit/537.36 (KHTML, like Gecko) Silk/44.1.54 like Chrome/44.0.2403.63 Safari/537.36

    You can specify MSIE to exclude Internet Explorer 10.x. Examples of user agents sent by Internet Explorer:

    Mozilla/5.0 (compatible; MSIE 10.0; Windows NT6.1; WOW64; Trident/6.0)

    SESSION ASSURANCE USER AGENT REGEX EXCLUDE LIST

    Specify the user-agent REGEX for that you want to disable the session validation.

    For example, you can specify Android 4\. to exclude Android devices (version 4.x). Examples of user agent sent by Android devices:

    User-Agent: Mozilla/5.0 (Linux; Android 4.4.3; KFTHWI Build/KTU84M) AppleWebKit/537.36 (KHTML, like Gecko) Silk/44.1.54 like Chrome/44.0.2403.63 Safari/537.36

    You can specify MSIE 10\. to exclude Internet Explorer 10.x. Examples of user agents sent by Internet Explorer:

    Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

    SESSION ASSURANCE URL EXCLUDE LIST

    Specify the URL for that you want to disable the session validation.

    For example, if you want to exclude any URL based on any string. Let assume the URL is http://www.xyz.com/hr/main, specify /hr/ to verify whether the URL contains /hr/. If yes, then the URL will be excluded from session validation.

    Use the , delimiter to specify more than one URL. For example, /ab*s/aa,ab?sj=sd.:,//,12@/dd:234

    SESSION ASSURANCE URL REGEX EXCLUDE LIST

    Specify the URL REGEX for that you want to disable the session validation.

    For example, let assume the URL is http://www.xyz.com/hr/main, specify www.xyz.com/hr/(.)* to verify whether the URL contains /hr/. If yes, then the URL will be excluded from session validation.

    Use the , delimiter to specify more than one URL. For example, \s,\d\d\d,^\d\d\d.$

    SESSION ASSURANCE IDC COOKIE GRACEPERIOD

    Specify the time in second till which Identity Server will accept the old session ID, after issuing a new ID. The default value is 15 second.

Disabling Session Assurance for Access Gateway ESP

  1. On the Home page, click Access Gateways > Edit > Reverse Proxy / Authentication > ESP Global Options.

  2. Add the following options in the ESP Global Options list:

    Multiple inputs must be separated by comma.

    ESP Global Options

    Description

    SESSION_ASSURANCE_USER AGENT_EXCLUDE_LIST

    Specify the user-agent string for that you want to disable the session validation.

    For example, if you want to exclude android devices, add the following:

    SESSION_ASSURANCE_USER_AGENT_EXCLUDE_LIST Android,Chrome

    SESSION_ASSURANCE_USER_AGENT_REGEX_EXCLUDE_LIST

    Specify the user-agent REGEX for that you want to disable the session validation.

    For example, if you want to exclude android devices with version 4 and later, add the following:

    SESSION_ASSURANCE_USER_AGENT_REGEX_EXCLUDE_LIST Android 4\.,Chrome

    SESSION_ASSURANCE_URL_EXCLUDE_LIST

    Specify the URL for that you want to disable the session validation.

    For example, if you want to exclude any URL based on any string. Let assume the URL is http://www.xyz.com/hr/main, the following entry will verify whether the URL contains /hr/. If yes, then the URL will be excluded from session validation:

    SESSION_ASSURANCE_URL_EXCLUDE_LIST /hr/

    Use the , delimiter to specify more than one URL. For example, SESSION_ASSURANCE_USER_AGENT_EXCLUDE_LIST abc,ss,s

    SESSION_ASSURANCE_URL_REGEX_EXCLUDE_LIST

    Specify the URL REGEX for that you want to disable the session validation.

    For example, if you want to exclude any URL based on any string. Let assume the URL is http://www.xyz.com/hr/main, the following entry will verify whether the URL contains /hr/. If yes, then the URL will be excluded from session validation:

    SESSION_ASSURANCE_URL_REGEX_EXCLUDE_LIST www.xyz.com/hr/(.)*

    Use the , delimiter to specify more than one URL. For example, SESSION_ASSURANCE_USER_AGENT_REGEX_EXCLUDE_LIST \s,\d\d\d,^\d\d\d.$

    SESSION_ASSURANCE_IDC_COOKIE_GRACEPERIOD

    Specify the time in second till which Identity Server will accept the old session ID, after issuing a new ID. The default value is 15 second.

Disabling Session Assurance for Access Gateway Proxy Services

When Session Assurance is enabled at the cluster level for a proxy service, server-side fingerprinting and session ID Session Assurance are enabled. You can disable and re-enable it by using advanced options.

  1. On the Home page, click Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] > Advanced Options.

  2. Add the following options on the need basis:

    Option

    Description

    NAGHostOptions DisableIDC=on

    This disables Advance Session Assurance for small lived session IDs.

    Set to off to enable Advance Session Assurance for session ID.

    NAGHostOptions DisableSFP=on

    This disables server-side fingerprinting Session Assurance.

    Set to off to enable server-side fingerprinting Session Assurance.

  3. Save your changes and update Access Gateway.

An Example Configuration

Let assume an organization has a Human Resources application and a Payroll application. Both applications contain highly confidential data of its employees. These applications are protected by Access Gateway.

The organization wants to prevent session hijacking for these applications.This can be achieved by enabling device fingerprinting-based session validations for proxy services tied to these applications.

Configuration Steps:

  1. On the Home page, click Session Assurance.

  2. Under Cluster Level Configurations, select the required Identity Server clusters and Access Gateway clusters for which you want to enable Session Assurance by toggling Identity Servers or Access Gateways.

  3. Specify Session Validation and Renewal Interval.

    For more information, see Setting Up Session Validation and Renewal Interval.

  4. Select parameters that you want to include in the session validation.

    For more information about parameters, see Table 15-1.

  5. Click Proxy Service Settings and select the proxy services tied up with Human resources and Payroll applications.

  6. Click Save.

  7. Update Access Gateway.