chs redirectservlet redirects incorrectly after oauth flow in Social Login
Article ID: 214874
Updated On:
Products
CA Single Sign On Agents (SiteMinder)
CA Single Sign On Secure Proxy Server (SiteMinder)
Issue/Introduction
When running CA Access Gateway (SPS) and configuring Social Login (1),
if a SSL-off loader Loadbalancer runs in front, requests reach the CA
Access Gateway (SPS) as HTTP and some redirects are sent as HTTP as
well.
To illustrate :
The request reaches the Loadbalancer as https :
https://myHostFed.mydomain.com/affwebservices/public/saml2sso?SPID=https://mySP.myspdomain.com/saml/acs&RelayState=https%3A%2F%2FmySP.myspdomain.com%2Fsaml%2Facs
and the Loadbalancer redirects to http as configured to the backend
CA Access Gateway (SPS) :
http://myHostFed.mydomain.com/affwebservices/public/saml2sso?SPID=https://mySP.myspdomain.com/saml/acs&RelayState=https%3A%2F%2FmySP.myspdomain.com%2Fsaml%2Facs&SAMLTRANSACTIONID=16cf90d3-ccafff20-a130081d-7b56b80f-e8310cb0-9c
Thus, from the browser perspective, HTTPS becomes HTTP and the
request fails, as the Loadbalancer doesn't handle HTTP request.
The CA Access Gateway (SPS) debug log reports :
chsLogin.log :
2021-05-04 18:31:57 DEBUG CookieHelper:- entering createRequestContextCookie
2021-05-04 18:31:57 DEBUG CookieHelper:- Creating the referrer cookie with referrer: http://myHostFed.mydomain.com/affwebservices/public/saml2sso
[...]
2021-05-04 18:32:29 DEBUG CookieHelper:- entering createRequestContextCookie
2021-05-04 18:32:29 DEBUG CookieHelper:- Expiring the CHS context cookies
2021-05-04 18:32:29 DEBUG CookieHelper:- leaving createRequestContextCookie
2021-05-04 18:32:29 DEBUG RedirectServlet:- Redirecting to http://myHostFed.mydomain.com/affwebservices/public/saml2sso?SPID=https://mySP.myspdomain.com/saml/acs&RelayState=https%3A%2F%2FmySP.myspdomain.com%2Fsaml%2Facs&SAMLTRANSACTIONID=16cf90d3-ccafff20-a130081d-7b56b80f-e8310cb0-9c
Environment
Resolution
Modifying the CA Access Gateway (SPS) httpd configuration by adding
the following :
<IfModule headers_module>
Header edit Set-Cookie ^Referrer="http://(.*)$ Referrer="https://$1
</IfModule>
which solves the issue. Now the CA Access Gateway (SPS) reports :
chsLogin.log :
2021-05-10 15:19:36 DEBUG CookieHelper:- entering createRequestContextCookie
2021-05-10 15:19:36 DEBUG CookieHelper:- Creating the referrer cookie with referrer: http://myHostFed.mydomain.com/affwebservices/public/saml2sso
[...]
2021-05-10 16:57:13 DEBUG CookieHelper:- entering createRequestContextCookie
2021-05-10 16:57:13 DEBUG CookieHelper:- Expiring the CHS context cookies
2021-05-10 16:57:13 DEBUG CookieHelper:- leaving createRequestContextCookie
2021-05-10 16:57:13 DEBUG RedirectServlet:- Redirecting to https://myHostFed.mydomain.com/affwebservices/public/saml2sso?SPID=https://mySP.myspdomain.com/saml/acs&RelayState=https%3A%2F%2FmySP.myspdomain.com%2Fsaml%2Facs&SAMLTRANSACTIONID=6a796e02-1365bc86-3f37cab4-d5c6cacf-95a499ea-58
Additional Information
(1)
Configure Social Sign-on
You can configure SiteMinder Federation (the federation system)
to let users sign-on to a federated resource with their social
networking credentials instead of the federation system
credentials.
The social sign-on feature consists of the following features:
- Authentication of users using an OAuth authorization server such
as Facebook so that users can sign-on to a federated resource
using their OAuth authorization server credentials.
- Configuration of a credential selector page that provides users
with various identity providers such as SAML 2.0 or Facebook as
authentication choices. Users can choose an identity provider
for authorization to sign-on to a federated resource.
The features are independent of each other and you can configure
the federation system to implement either or both the features.
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/partnership-federation/configure-social-sign-on.html
Feedback
Yes
No
Powered by
