CA AGW Partnership federation/ configuration assistance would be needed for redirect
Article ID: 102821
Updated On:
Products
CA Single Sign On Secure Proxy Server (SiteMinder)
AXIOMATICS POLICY SERVER
CA Single Sign On SOA Security Manager (SiteMinder)
CA Single Sign-On
Issue/Introduction
I have installed CA Access Gateway (SPS) 12.7 and I'am testing for
first time a Parnership Federation with Policy Server 12.7, so that CA
Access Gateway (SPS) is acting as SAML2 IdP and myseconddomain
http://www.myseconddomain.com/ is acting as SAML2 SP.
Login pages are on the CA Access Gateway (SPS).
When I start login flow from sp.myseconddomain.com, the Authentication
URL redirects properly to login page where both authentication and
authrozation are processed successfully and a SMSESSION is created.
The problem occurs with redirect.jsp. When the browser goes to that
redirect.jsp page, the browser doesn't get redirected back to the
Federation Resource /affwebservices/public/saml2sso.
I have configured the Authentication URL to
https://AGW.myfirstdomain.com/affwebservices/redirectjsp/redirect.jsp
in Parnership Federation Configuration.
In CA Access Gateway (SPS) Federation has been enabled and the
Authentication URL has been set to default siteminderagent/redirectjsp
there.
First login fails because of redirect. In second try when SMSESSION
exists already login flow is successful. SAML response is returned to
myseconddomain SP site.
first time a Parnership Federation with Policy Server 12.7, so that CA
Access Gateway (SPS) is acting as SAML2 IdP and myseconddomain
http://www.myseconddomain.com/ is acting as SAML2 SP.
Login pages are on the CA Access Gateway (SPS).
When I start login flow from sp.myseconddomain.com, the Authentication
URL redirects properly to login page where both authentication and
authrozation are processed successfully and a SMSESSION is created.
The problem occurs with redirect.jsp. When the browser goes to that
redirect.jsp page, the browser doesn't get redirected back to the
Federation Resource /affwebservices/public/saml2sso.
I have configured the Authentication URL to
https://AGW.myfirstdomain.com/affwebservices/redirectjsp/redirect.jsp
in Parnership Federation Configuration.
In CA Access Gateway (SPS) Federation has been enabled and the
Authentication URL has been set to default siteminderagent/redirectjsp
there.
First login fails because of redirect. In second try when SMSESSION
exists already login flow is successful. SAML response is returned to
myseconddomain SP site.
Cause
From the flow, we see the SMPORTALURL is encrypted :
https://AGW.myfirstdomain.com/affwebservices/redirectjsp/redirect.jsp?SAMLRequest=dasdSADDQdasDasDEASsDASda223qdasDSasewS%3&RelayState=cookie%3A1529414dsa4d45454&SMPORTALURL=KdleL33sa2slslaxxsldllewsa&SAMLTRANSACTIONID=e1e30973-c7df59c2-9dfds9ce-5rdd355e-7e9ww830-4f
Here we should see the SMPORTALURL value decrypted.
https://AGW.myfirstdomain.com/affwebservices/redirectjsp/redirect.jsp?SAMLRequest=dasdSADDQdasDasDEASsDASda223qdasDSasewS%3&RelayState=cookie%3A1529414dsa4d45454&SMPORTALURL=KdleL33sa2slslaxxsldllewsa&SAMLTRANSACTIONID=e1e30973-c7df59c2-9dfds9ce-5rdd355e-7e9ww830-4f
Here we should see the SMPORTALURL value decrypted.
Environment
Release: MSPSSO99000-12.7-Single Sign-On-for Business Users-MSP
Component:
Component:
Resolution
Disable the "Use Secure URL" option in the Partnership, this will only
URL Encode the SMPORTALURL value, to avoid the Federation Service to
redirect the browser to an encrypted target value.
URL Encode the SMPORTALURL value, to avoid the Federation Service to
redirect the browser to an encrypted target value.
Feedback
Yes
No
Powered by
