When setting up oidc, customer is making a request to https://idp_host/affwebservices/CASSO/oidc/authorize?response_type=code&scope=openid&client_id=000d76fd-11d1-1ce3-b4c0-b02a0a2a0000&redirect_uri=https://host.com/test1&nonce=value
Get this response:
HTTP/1.1 302 Found
Date: Wed, 22 May 2019 20:13:54 GMT
Server: Apache/2.4.34 (Unix) mod_jk/1.2.43
Component : SITEMINDER FEDERATION SECURITY SERVICES
This happens when load balancer was used and certificate was installed on load balancer, but not on CA Access Gateway.
This does not happen if CA Access Gateway is actually listening on secure port and has certificated installed on CA Access Gateway.
OIDC standard recommended to use secure connection during redirect to prevent any type of phishing attack. That means when the request was received, request will be verified if it is coming from secure port or not.
This is built-in feature with CA access gateway.
When load-balancer is handling certificate, the CA access gateway is actually not listening on secure port.
This is how the product is designed at the moment and is documented, customer can file an Enhancement on CA community so that product management can address it directly from design specification perspective, as well as getting feedback from other customers in the same boat.
One of the prerequisite of Configure CA Single Sign-On as OpenID Connect Provider Ensure that the following tasks are complete:
*Session Store is enabled in Policy Server.
*SSL is enabled in CA Access Gateway. (not met in this above use case)
Customer needs to enable SSL in CA Access Gateway.