Access Gateway - Proxy rule for OIDC use-case

book

Article ID: 143029

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

We're configuring OIDC on CA Access Gateway (SPS) and we'd like to
know how should we define the proxy rules (proxyrules.xml) that we have to
setup for making OIDC ?

Is it also possible to send encrypted/signed ID token in HTTP header
from OIDC provider of CA SSO?

 

Environment

 

CA Access Gateway (SPS) 12.8SP3 on RedHat 7

 

Resolution

 

At first glance, in CA Access Gateway (SPS), there's no specific rule
to set in the proxyrules.xml. This file is to configure to which
backend servers resource the request should be forwared. All the
Federation Services are catched before this by the CA Access Gateway
(SPS) and are handled locally by the CA Access Gateway (SPS).

  Configure Proxy Rules

  CA Access Gateway routes uses the proxy engine that is built into the
  server to route requests to appropriate servers in the enterprise. The
  proxy engine interprets proxy rules and provides both, a forward and a
  redirect service, to handle the disposition of all user requests for
  back end resources.  Proxy rules define how the requests are forwarded
  or redirected to resources that are located on destination servers. A
  set of proxy rules is defined according to the proxy rules DTD that is
  installed by default, and is stored in a proxyrules.xml configuration
  file. By default during installation, the following relative path to
  the proxyrules.xml file is generated and used in the rules_file
  parameter of the <ServiceDispatcher> section of the server.conf file:

    installation_location/secure-proxy/proxy-engine/conf/proxyrules.xml

  https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8-03/implementing/how-to-protect-a-sample-resource.html#concept.dita_bcc703deb6108bc4dfbbd4a4f02e7e1a2e4a5cf7_ConfigureProxyRules

Out of the box, by configuring OIDC, you cannot set the value of the
id_token to the response header such as HTTP_EMPLOYEENUMBER or
HTTP_id_token.

The id_token value will be passed in the "authorization header" or in
the "form post" header.

And this is such as following the RFC for the JWT protocol :

  JSON Web Token (JWT)

  1.  Introduction

     JSON Web Token (JWT) is a compact claims representation format
     intended for space constrained environments such as HTTP
     Authorization headers and URI query parameters. 

  https://tools.ietf.org/html/rfc7519#section-1

and

  Understanding ID Token
  https://medium.com/@darutk/understanding-id-token-5f83f50fa02e

Finally, there's a community post that guides how to implement OIDC :

  SSO Client Federation Partnership to SSO OpenIDC Provider 
  https://community.broadcom.com/enterprisesoftware/communities/community-home/librarydocuments/viewdocument?DocumentKey=7a865c0a-173a-4365-85e1-a20124eb5c8a&CommunityKey=f9d65308-ca9b-48b7-915c-7e9cb8fc3295&tab=librarydocuments

 

Additional Information

 

Further reading about OIDC :

  User 'unknown' is not authenticated by Policy Server
  https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=136928

  OIDC Provider Introspect Endpoint, strange data type is created
  https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=111723

  Error while configuring the OpenID Connect in which provider is buypass
  https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=137723

  Problem with double encoding of OIDC state after upgrade to 12.8.02
  https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=133620