ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

SMPORTALURL is being built by the Federation web services with the FQDN of the application server instead of the web server FQDN


Article ID: 131759


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On


SMPORTALURL is being built by the Federation web services with the FQDN of the application server instead of the web server FQDN  

We have an Apache web server configured with mod_jk plugin forwarding requests to a Tomcat application server where Federation web services are deployed. 
When the user trigger an IDP initiated request from a Legacy Federation setup, the Federation Web Services is building the Redirect to the Authentication URL defined that includes the SMPORTALURL.

The problem is the SMPORTALURL being built by the FWS does not have the correct FQDN of the Apache Web server, rather, it is being built with the application server FQDN/port instead 

Example of use case:

Apache Web server FQDN --> 
Mod_jk proxy the request to backend Tomcat app server with FQDN --> 

- IDP Initiated transaction is triggered using the below link

- FWS check request and if no SMSESSION cookie exists, issue a Redirect to the Authentication URL with the SMPORTALURL as such
                                                                 &SAMLTRANSACTIONID=164a8532-08301676- 91fae911-8334fbb1-5670e255-6bd5
Note the SMPORTALURL constructed with which is causing the user to access the App sevrer URL from browser after authenticating causing the issue


Component: SMAPC


The Legacy Federation depends on the proxyServer property when building the SMPORTALURL.
If the proxyServer does not exist, the FWS will use the Host header of the request that resolved to the application server when building the SMPORTALURL.

To solve this issue, you will need to configure the "SAML Service Provider" with the proxy server Host in order for the SMPORTALURL be built with it.
Below the steps to configure the proxyServer:

1) From Adminui --> go to legacy Federation --> SAML Service Providers --> Modify The corresponding SAML Service provider -->  under General tab --> scroll down to the "proxy" --> set the server to "https://Web_server_host" --> save the changes
2) flush the cache 
3) restart the application server hosting the FWS for the new property to get picked up 
4) also if you dump your Store using XPExport, you should be able to see the below property under your SAMLV2SP Object 

 <Property Name="CA.SM::SAMLv2SP.ProxyServer">