SMPORTALURL is being built by the Federation web services with the FQDN of the application server instead of the web server FQDN

book

Article ID: 131759

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

SMPORTALURL is being built by the Federation web services with the FQDN of the application server instead of the web server FQDN  

We have an Apache web server configured with mod_jk plugin forwarding requests to a Tomcat application server where Federation web services are deployed. 
When the user trigger an IDP initiated request from a Legacy Federation setup, the Federation Web Services is building the Redirect to the Authentication URL defined that includes the SMPORTALURL.

The problem is the SMPORTALURL being built by the FWS does not have the correct FQDN of the Apache Web server, rather, it is being built with the application server FQDN/port instead 

Example of use case:
--------------------

Apache Web server FQDN --> app.webserver.com 
Mod_jk proxy the request to backend Tomcat app server with FQDN --> app.appserver.com:8080 

- IDP Initiated transaction is triggered using the below link

https://app.webserver.com/affwebservices/public/saml2sso?SPID=testSPID&ProtocolBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

- FWS check request and if no SMSESSION cookie exists, issue a Redirect to the Authentication URL with the SMPORTALURL as such 

https://app.webserver.com/affwebservices/redirectjsp/redirect.jsp?SPID&ProtocolBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
                                                                 &SMPORTALURL=http%3A%2F%app.appserver.com%3A8080%2Faffwebservices%2Fpublic%2Fsaml2sso
                                                                 &SAMLTRANSACTIONID=164a8532-08301676- 91fae911-8334fbb1-5670e255-6bd5
                                                                                                                              
Note the SMPORTALURL constructed with app.appserver.com:8080 which is causing the user to access the App sevrer URL from browser after authenticating causing the issue

Environment

Release:
Component: SMAPC

Resolution

The Legacy Federation depends on the proxyServer property when building the SMPORTALURL.
If the proxyServer does not exist, the FWS will use the Host header of the request that resolved to the application server when building the SMPORTALURL.

To solve this issue, you will need to configure the "SAML Service Provider" with the proxy server Host in order for the SMPORTALURL be built with it.
Below the steps to configure the proxyServer:

1) From Adminui --> go to legacy Federation --> SAML Service Providers --> Modify The corresponding SAML Service provider -->  under General tab --> scroll down to the "proxy" --> set the server to "https://Web_server_host" --> save the changes
2) flush the cache 
3) restart the application server hosting the FWS for the new property to get picked up 
4) also if you dump your Store using XPExport, you should be able to see the below property under your SAMLV2SP Object 

 <Property Name="CA.SM::SAMLv2SP.ProxyServer"> 
        https://Web_server_host</StringValue> 
</Property>