SMPORTALURL is being built by the Federation web services with the FQDN of the application server instead of the web server FQDN
Article ID: 131759
Updated On:
Products
CA Single Sign On Secure Proxy Server (SiteMinder)
CA Single Sign On SOA Security Manager (SiteMinder)
CA Single Sign-On
Issue/Introduction
SMPORTALURL is being built by the Federation web services with the FQDN of the application server instead of the web server FQDN
We have an Apache web server configured with mod_jk plugin forwarding requests to a Tomcat application server where Federation web services are deployed.
When the user trigger an IDP initiated request from a Legacy Federation setup, the Federation Web Services is building the Redirect to the Authentication URL defined that includes the SMPORTALURL.
The problem is the SMPORTALURL being built by the FWS does not have the correct FQDN of the Apache Web server, rather, it is being built with the application server FQDN/port instead
Example of use case:
--------------------
Apache Web server FQDN --> app.webserver.com
Mod_jk proxy the request to backend Tomcat app server with FQDN --> app.appserver.com:8080
- IDP Initiated transaction is triggered using the below link
https://app.webserver.com/affwebservices/public/saml2sso?SPID=testSPID&ProtocolBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
- FWS check request and if no SMSESSION cookie exists, issue a Redirect to the Authentication URL with the SMPORTALURL as such
https://app.webserver.com/affwebservices/redirectjsp/redirect.jsp?SPID&ProtocolBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
&SMPORTALURL=http%3A%2F%app.appserver.com%3A8080%2Faffwebservices%2Fpublic%2Fsaml2sso
&SAMLTRANSACTIONID=164a8532-08301676- 91fae911-8334fbb1-5670e255-6bd5
Note the SMPORTALURL constructed with app.appserver.com:8080 which is causing the user to access the App sevrer URL from browser after authenticating causing the issue
We have an Apache web server configured with mod_jk plugin forwarding requests to a Tomcat application server where Federation web services are deployed.
When the user trigger an IDP initiated request from a Legacy Federation setup, the Federation Web Services is building the Redirect to the Authentication URL defined that includes the SMPORTALURL.
The problem is the SMPORTALURL being built by the FWS does not have the correct FQDN of the Apache Web server, rather, it is being built with the application server FQDN/port instead
Example of use case:
--------------------
Apache Web server FQDN --> app.webserver.com
Mod_jk proxy the request to backend Tomcat app server with FQDN --> app.appserver.com:8080
- IDP Initiated transaction is triggered using the below link
https://app.webserver.com/affwebservices/public/saml2sso?SPID=testSPID&ProtocolBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
- FWS check request and if no SMSESSION cookie exists, issue a Redirect to the Authentication URL with the SMPORTALURL as such
https://app.webserver.com/affwebservices/redirectjsp/redirect.jsp?SPID&ProtocolBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
&SMPORTALURL=http%3A%2F%app.appserver.com%3A8080%2Faffwebservices%2Fpublic%2Fsaml2sso
&SAMLTRANSACTIONID=164a8532-08301676- 91fae911-8334fbb1-5670e255-6bd5
Note the SMPORTALURL constructed with app.appserver.com:8080 which is causing the user to access the App sevrer URL from browser after authenticating causing the issue
Environment
Release:
Component: SMAPC
Component: SMAPC
Resolution
The Legacy Federation depends on the proxyServer property when building the SMPORTALURL.
If the proxyServer does not exist, the FWS will use the Host header of the request that resolved to the application server when building the SMPORTALURL.
To solve this issue, you will need to configure the "SAML Service Provider" with the proxy server Host in order for the SMPORTALURL be built with it.
Below the steps to configure the proxyServer:
1) From Adminui --> go to legacy Federation --> SAML Service Providers --> Modify The corresponding SAML Service provider --> under General tab --> scroll down to the "proxy" --> set the server to "https://Web_server_host" --> save the changes
2) flush the cache
3) restart the application server hosting the FWS for the new property to get picked up
4) also if you dump your Store using XPExport, you should be able to see the below property under your SAMLV2SP Object
<Property Name="CA.SM::SAMLv2SP.ProxyServer">
https://Web_server_host</StringValue>
</Property>
If the proxyServer does not exist, the FWS will use the Host header of the request that resolved to the application server when building the SMPORTALURL.
To solve this issue, you will need to configure the "SAML Service Provider" with the proxy server Host in order for the SMPORTALURL be built with it.
Below the steps to configure the proxyServer:
1) From Adminui --> go to legacy Federation --> SAML Service Providers --> Modify The corresponding SAML Service provider --> under General tab --> scroll down to the "proxy" --> set the server to "https://Web_server_host" --> save the changes
2) flush the cache
3) restart the application server hosting the FWS for the new property to get picked up
4) also if you dump your Store using XPExport, you should be able to see the below property under your SAMLV2SP Object
<Property Name="CA.SM::SAMLv2SP.ProxyServer">
https://Web_server_host</StringValue>
</Property>
Feedback
Yes
No
Powered by
