search cancel

Access Gateway - Proxy rule for OIDC use-case


Article ID: 143029


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER



We're configuring OIDC on CA Access Gateway (SPS) and we'd like to
know how should we define the proxy rules (proxyrules.xml) that we have to
setup for making OIDC ?

Is it also possible to send encrypted/signed ID token in HTTP header
from OIDC provider of CA SSO?




CA Access Gateway (SPS) 12.8SP3 on RedHat 7




At first glance, in CA Access Gateway (SPS), there's no specific rule
to set in the proxyrules.xml. This file is to configure to which
backend servers resource the request should be forwared. All the
Federation Services are catched before this by the CA Access Gateway
(SPS) and are handled locally by the CA Access Gateway (SPS).

  Configure Proxy Rules

  CA Access Gateway routes uses the proxy engine that is built into the
  server to route requests to appropriate servers in the enterprise. The
  proxy engine interprets proxy rules and provides both, a forward and a
  redirect service, to handle the disposition of all user requests for
  back end resources.  Proxy rules define how the requests are forwarded
  or redirected to resources that are located on destination servers. A
  set of proxy rules is defined according to the proxy rules DTD that is
  installed by default, and is stored in a proxyrules.xml configuration
  file. By default during installation, the following relative path to
  the proxyrules.xml file is generated and used in the rules_file
  parameter of the <ServiceDispatcher> section of the server.conf file:


Out of the box, by configuring OIDC, you cannot set the value of the
id_token to the response header such as HTTP_EMPLOYEENUMBER or

The id_token value will be passed in the "authorization header" or in
the "form post" header.

And this is such as following the RFC for the JWT protocol :

  JSON Web Token (JWT)

  1.  Introduction

     JSON Web Token (JWT) is a compact claims representation format
     intended for space constrained environments such as HTTP
     Authorization headers and URI query parameters.


  Understanding ID Token

Finally, there's a community post that guides how to implement OIDC :

  SSO Client Federation Partnership to SSO OpenIDC Provider


Additional Information


Further reading about OIDC :

  User 'unknown' is not authenticated by Policy Server

  OIDC Provider Introspect Endpoint, strange data type is created

  Error while configuring the OpenID Connect in which provider is buypass

  Problem with double encoding of OIDC state after upgrade to 12.8.02