How to Unprotect All Resources When Using Localhost or 127.0.0.1

book

Article ID: 109991

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Some applications make a server to server call that may not work if the resource is protected and results in a challenge response to the call.  For this reason it would be beneficial to allow requests for http://localhost and/or http://127.0.0.1 to remain unprotected without affecting the currently protected resources.

Environment

Release: MSPSSO99000-12.8-Single Sign-On-for Business Users-MSP
Component:

Resolution

The best way to address this use case is with the IgnoreHost ACO parameter.  Two additional ACO parameters are also needed to prevent the agent from transforming the incoming host name to a FQDN: ForceFQHost=no and DisableDNSLookup=yes

Additional Information

This also could be accomplished by defining agent names (using the AgentName ACO parameter) to the hosts you want to ignore and not assigning those agent names to any realms, however, this method results in the IsProtected call being made for these requests whereas using IgnoreHost skips the IsProtected call and is thus slightly more efficient.