We're configuring OIDC on CA Access Gateway (SPS) and we'd like to
know how should we define the proxy rules (proxyrules.xml) that we have to
setup for making OIDC ?
Is it also possible to send encrypted/signed ID token in HTTP header
from OIDC provider of CA SSO?
CA Access Gateway (SPS) 12.8SP3 on RedHat 7
At first glance, in CA Access Gateway (SPS), there's no specific rule
to set in the proxyrules.xml. This file is to configure to which
backend servers resource the request should be forwared. All the
Federation Services are catched before this by the CA Access Gateway
(SPS) and are handled locally by the CA Access Gateway (SPS).
Configure Proxy Rules
CA Access Gateway routes uses the proxy engine that is built into the
server to route requests to appropriate servers in the enterprise. The
proxy engine interprets proxy rules and provides both, a forward and a
redirect service, to handle the disposition of all user requests for
back end resources. Proxy rules define how the requests are forwarded
or redirected to resources that are located on destination servers. A
set of proxy rules is defined according to the proxy rules DTD that is
installed by default, and is stored in a proxyrules.xml configuration
file. By default during installation, the following relative path to
the proxyrules.xml file is generated and used in the rules_file
parameter of the <ServiceDispatcher> section of the server.conf file:
Out of the box, by configuring OIDC, you cannot set the value of the
id_token to the response header such as HTTP_EMPLOYEENUMBER or
The id_token value will be passed in the "authorization header" or in
the "form post" header.
And this is such as following the RFC for the JWT protocol :
JSON Web Token (JWT)
JSON Web Token (JWT) is a compact claims representation format
intended for space constrained environments such as HTTP
Authorization headers and URI query parameters.
Understanding ID Token
Finally, there's a community post that guides how to implement OIDC :
SSO Client Federation Partnership to SSO OpenIDC Provider
Further reading about OIDC :
User 'unknown' is not authenticated by Policy Server
OIDC Provider Introspect Endpoint, strange data type is created
Error while configuring the OpenID Connect in which provider is buypass
Problem with double encoding of OIDC state after upgrade to 12.8.02