You may have seen issues where when working with the IDM User Application or IDMDash after a while, you seem to be logged in yet the application seems to not able to retrieve information from the directory. We first started seeing this behavior when OSP was added in to IDM at version 4.5

Geoff Carman has worked for me for over 10 years. He is my Subject Area Master for Identity and Access Management (yes, SAM-IAM) and has already written a great multi-part highly detailed article on the phenomenon: https://www.netiq.com/communities/cool-solutions/troubleshooting-osp-idm-4-5-part-2/ as only Geoffrey can.

On a side-note, I believe Geoffrey types so fast he dilates time.

While this has been documented before, while sometimes I want to see how the sausage is made, more often than not I just I find myself looking for a recipe. So here it is.

The Challenge

The problem, netted out, is that the timeout value in the IDM User Application is longer than the timeout value in the SAML authentication configuration in eDirectory. So you could be working for 18 minutes in User App, have timed out your session to eDirectory but not timed out the session to User App. Application seems happy on the surface but can’t get the data it needs under the hood.

“It all comes down to one simple thing, which is that
it never comes down to one simple thing” - Rob Rawson

The intuitive solution should be to make them match. Ideally these would be similar parameters which actually mean the same thing, so it would be simple. But of course nothing is that simple. Nonetheless, once you know how to tune this parameter through this recipe, you can adjust it longer till it works best for you. So I start with trying to make them as close as possible.

How much time is enough time?

To determine the configured timeout value in the IDM User Application, run configupdate.sh (see /opt/netiq/idm/apps/UserApplication), select advanced options and the authentication tab.

The timeout for SAML assertions in eDirectory must be longer than this value. In eDirectory the default is 1000 seconds or 16 ²/₃ minutes. To match the 20 minute UA timeout, the eDirectory value must be 1200 seconds or longer.

Configuring eDirectory

In order to set the timeout, login to iManager as an administrator. Browse to the security container, Authorized Login Methods and select SAML Assertion. Within that container you will find an instance of the configuration

Under this object you will find the SAML configuration

Edit this object. Select the authsamlValidAfter attribute.

Set the value to one second longer in eDirectory than in the IDM User Application; for example, for 20 minutes one second, set the value to 1201.

Conclusion

It would be nice if the installation tools for IDM were to configure this for you. However, as I said before, this value might not be sufficient in all cases. If you need to raise the authentication window higher, the security exposure is small. As far as I am aware, the only application that is using this eDirectory NMAS authentication method is the IDM Applications so we should be safe.