Chs redirectservlet redirects incorrectly in HTTP after oauth in Social Login in CA Access Gateway (SPS)
search cancel

Chs redirectservlet redirects incorrectly in HTTP after oauth in Social Login in CA Access Gateway (SPS)

book

Article ID: 214874

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder) CA Single Sign On Secure Proxy Server (SiteMinder) SITEMINDER

Issue/Introduction

When running CA Access Gateway (SPS) and configuring Social Login (1), if an SSL-off loader load balancer runs in front, requests reach the CA Access Gateway (SPS) as HTTP, and some redirects are sent as HTTP as well.

To illustrate:

The request reaches the load balancer as HTTPS:

https://sps.example.com/affwebservices/public/saml2sso?SPID=https://sp.example.net/saml/acs&RelayState=https%3A%2F%2Fsp.example.net%2Fsaml%2Facs

and the load balancer redirects to HTTP as configured in the backend CA Access Gateway (SPS):

http://sps.example.com/affwebservices/public/saml2sso?SPID=https://sp.example.net/saml/acs&RelayState=https%3A%2F%2Fsp.example.net%2Fsaml%2Facs&SAMLTRANSACTIONID=<value>

Thus, from the browser perspective, HTTPS becomes HTTP and the request fails, as the load balancer doesn't handle HTTP requests.

The CA Access Gateway (SPS) debug log reports:

chsLogin.log :

2021-05-04 18:31:57 DEBUG CookieHelper:- entering createRequestContextCookie
2021-05-04 18:31:57 DEBUG CookieHelper:- Creating the referrer cookie with referrer: http://sps.example.com/affwebservices/public/saml2sso
[...]

2021-05-04 18:32:29 DEBUG CookieHelper:- entering createRequestContextCookie
2021-05-04 18:32:29 DEBUG CookieHelper:- Expiring the CHS context cookies
2021-05-04 18:32:29 DEBUG CookieHelper:- leaving createRequestContextCookie
2021-05-04 18:32:29 DEBUG RedirectServlet:- Redirecting to http://sps.example.com/affwebservices/public/saml2sso?SPID=https://sp.example.net/saml/acs&RelayState=https%3A%2F%2Fsp.example.net%2Fsaml%2Facs&SAMLTRANSACTIONID=<value>

Environment

 

Resolution

Modifying the CA Access Gateway (SPS) HTTPD configuration by adding the following solves the issue:

<IfModule headers_module>

  Header edit Set-Cookie ^Referrer="http://(.*)$ Referrer="https://$1

</IfModule>

After the changes, the CA Access Gateway (SPS) reports the redirect being done in HTTPS:

chsLogin.log:

2021-05-10 15:19:36 DEBUG CookieHelper:- entering createRequestContextCookie
2021-05-10 15:19:36 DEBUG CookieHelper:- Creating the referrer cookie with referrer: http://sps.example.com/affwebservices/public/saml2sso

[...]

2021-05-10 16:57:13 DEBUG CookieHelper:- entering createRequestContextCookie
2021-05-10 16:57:13 DEBUG CookieHelper:- Expiring the CHS context cookies
2021-05-10 16:57:13 DEBUG CookieHelper:- leaving createRequestContextCookie
2021-05-10 16:57:13 DEBUG RedirectServlet:- Redirecting to https://sps.example.com/affwebservices/public/saml2sso?SPID=https://sp.example.net/saml/acs&RelayState=https%3A%2F%2Fsp.example.net%2Fsaml%2Facs&SAMLTRANSACTIONID=<value>

Additional Information

Powered by Wolken Software