Changing the Authentication URL context in CA Access Gateway

book

Article ID: 15225

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

You were running federation on WAOP using NewAtlanta ServletExec.

Now you are migrating to CA Access Gateway.

The federation web services was deployed on /affwebservices but you were using different authentication url context.

 

For example, https://server.domain/federation/redirect.jsp instead of https://server.domain/affwebservices/redirectjsp/redirect.jsp or https://server.domain/siteminderagent/redirectjsp/redirect.jsp

 

In the NewAtlanta ServletExec, the startup script has alias settings that you can configure which makes it easy to add an alias URI for document root.

How can this be achieved when using CA Access Gateway?



How can I use https://server.domain/federation/redirect.jsp as AuthenticationURL when using CA Access Gateway?

 

Environment

CA Access Gateway with Federation Web Services deployed.

Resolution

If you look at server.conf file, it has the federation section as below.

 <federation>
  enablefederationgateway="yes"
  fedrootcontext="affwebservices"
  authurlcontext="siteminderagent/redirectjsp"
  allowlinking="yes"
  protectedbackchannelservices="saml2artifactresolution,saml2certartifactresolution,saml2attributeservice,saml2certattributeservice,assertionretriever,certassertionretriever"
 </federation>

 

By changing the authurlcontext, you can achieve your goal of using different root context for authentication url.

The use case was to use https://server.domain/federation/redirect.jsp but if you look at the folder structure of affwebservices, the redirect.jsp file is contained under "redirectjsp" folder, thus the default authurlcontext is "siteminderagent/redirectjsp".

To workaround that, you can copy the redirect.jsp file to affwebservices folder and update the server.conf as below.

 <federation>
  enablefederationgateway="yes"
  fedrootcontext="affwebservices"
  authurlcontext="federation"
  allowlinking="yes"
  protectedbackchannelservices="saml2artifactresolution,saml2certartifactresolution,saml2attributeservice,saml2certattributeservice,assertionretriever,certassertionretriever"
 </federation>

 

Then you will need to restart the CA Access Gateway services.

 

You must also ensure that your federation configuration has AuthenticationURL matching whatever you specified above.