If the asserting party serves more than one relying partner, the asserting party probably authenticates different users for these different partners.

book

Article ID: 195697

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Customer has different user directories such as dir1, dir2 and dir3. 

They would need to create different authorization providers for each directory and authentication URL must be different for each URL. The resource suppose to be protected is /affwebservices/secure/secureredirect. 

Since they have three different authorization servers so they would like to know how to make this configuration. Kindly consider the below example for reference only.
 
/affwebservices/secure/secureredirect/dir1
/affwebservices/secure/secureredirect/dir2
/affwebservices/secure/secureredirect/dir3

Environment

Release : Any supported CA Siteminder Release

Component : CA SITEMINDER (AKA CA SSO)

Resolution

If the asserting party serves more than one relying partner, the asserting party probably authenticates different users for these different partners. 

As a result, for each Authentication URL that uses the secureredirect service, include this web service in a different realm for each partner.

To associate the secureredirect service with different realms, modify the " web.xml " file and create different resource mappings. 

Do not copy the secureredirect web service to different locations on your server. 

Locate the web.xml file in the directory web_agent_home/affwebservices/WEB-INF, where web_agent_home is the installed location of the web agent.

- Check the Create Authorization Provider Section for reference:

http://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/configuring/use-ca-single-sign-on-as-openid-connect-provider/configure-ca-single-sign-on-as-openid-connect-provider.html

Example:

- If the URL mapping in " Web.xml " is given as /secure/secureredirect/apigee/staff/*

But Incase if we give the Incorrect secure redirect URL format in OIDC Provider configuration like below It fails.

https://<host:port>/affwebservices/secureredirect/apigee/staff/ 

So we have to use below format:

https://<host:port>/affwebservices/secure/secureredirect/apigee/staff/

Always make sure and use " Use Secure Authentication URL " in Authentication URL.