search cancel

Getting "The+Request+is+not+secure." error with OIDC

book

Article ID: 133700

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER

Issue/Introduction

When setting up oidc, customer is making a request to https://idp_host/affwebservices/CASSO/oidc/authorize?response_type=code&scope=openid&client_id=000d76fd-11d1-1ce3-b4c0-b02a0a2a0000&redirect_uri=https://host.com/test1&nonce=value


Get this response:

HTTP/1.1 302 Found

Date: Wed, 22 May 2019 20:13:54 GMT

Server: Apache/2.4.34 (Unix) mod_jk/1.2.43

Location: https://host.com/test1?error=invalid_request&error_description=The+Request+is+not+secure.

Content-Length: 0

Environment

Release :

Component : SITEMINDER FEDERATION SECURITY SERVICES

Cause

This happens when load balancer was used and certificate was installed on load balancer, but not on CA Access Gateway.

This does not happen if CA Access Gateway is actually listening on secure port and has certificated installed on CA Access Gateway.


OIDC standard recommended to use secure connection during redirect to prevent any type of phishing attack. That means when the request was received, request will be verified if it is coming from secure port or not. 

This is built-in feature with CA access gateway.

When load-balancer is handling certificate, the CA access gateway is actually not listening on secure port.

This is how the product is designed at the moment and is documented, customer can file an Enhancement on CA community so that product management can address it directly from design specification perspective, as well as getting feedback from other customers in the same boat.

Resolution

One of the prerequisite of Configure CA Single Sign-On as OpenID Connect Provider Ensure that the following tasks are complete: 

 *Session Store is enabled in Policy Server. 

 *SSL is enabled in CA Access Gateway. (not met in this above use case) 

 https://docops.ca.com/ca-single-sign-on/12-7/en/configuring/use-ca-single-sign-on-as-openid-connect-provider/configure-ca-single-sign-on-as-openid-connect-provider

Customer needs to enable SSL in CA Access Gateway.