search cancel

chs redirectservlet redirects incorrectly after oauth flow in Social Login

book

Article ID: 214874

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder) CA Single Sign On Secure Proxy Server (SiteMinder)

Issue/Introduction

 

When running CA Access Gateway (SPS) and configuring Social Login (1),
if a SSL-off loader Loadbalancer runs in front, requests reach the CA
Access Gateway (SPS) as HTTP and some redirects are sent as HTTP as
well.

To illustrate :

  The request reaches the Loadbalancer as https :

    https://myHostFed.mydomain.com/affwebservices/public/saml2sso?SPID=https://mySP.myspdomain.com/saml/acs&RelayState=https%3A%2F%2FmySP.myspdomain.com%2Fsaml%2Facs

  and the Loadbalancer redirects to http as configured to the backend
  CA Access Gateway (SPS) :

    http://myHostFed.mydomain.com/affwebservices/public/saml2sso?SPID=https://mySP.myspdomain.com/saml/acs&RelayState=https%3A%2F%2FmySP.myspdomain.com%2Fsaml%2Facs&SAMLTRANSACTIONID=16cf90d3-ccafff20-a130081d-7b56b80f-e8310cb0-9c

Thus, from the browser perspective, HTTPS becomes HTTP and the
request fails, as the Loadbalancer doesn't handle HTTP request.

The CA Access Gateway (SPS) debug log reports :

chsLogin.log :

  2021-05-04 18:31:57 DEBUG CookieHelper:- entering createRequestContextCookie
  2021-05-04 18:31:57 DEBUG CookieHelper:- Creating the referrer cookie with referrer: http://myHostFed.mydomain.com/affwebservices/public/saml2sso

  [...]

  2021-05-04 18:32:29 DEBUG CookieHelper:- entering createRequestContextCookie
  2021-05-04 18:32:29 DEBUG CookieHelper:- Expiring the CHS context cookies
  2021-05-04 18:32:29 DEBUG CookieHelper:- leaving createRequestContextCookie
  2021-05-04 18:32:29 DEBUG RedirectServlet:- Redirecting to http://myHostFed.mydomain.com/affwebservices/public/saml2sso?SPID=https://mySP.myspdomain.com/saml/acs&RelayState=https%3A%2F%2FmySP.myspdomain.com%2Fsaml%2Facs&SAMLTRANSACTIONID=16cf90d3-ccafff20-a130081d-7b56b80f-e8310cb0-9c

 

Environment

 

Resolution

 

Modifying the CA Access Gateway (SPS) httpd configuration by adding
the following :

  <IfModule headers_module>

  Header edit Set-Cookie ^Referrer="http://(.*)$ Referrer="https://$1

  </IfModule>

which solves the issue. Now the CA Access Gateway (SPS) reports :

chsLogin.log :

  2021-05-10 15:19:36 DEBUG CookieHelper:- entering createRequestContextCookie
  2021-05-10 15:19:36 DEBUG CookieHelper:- Creating the referrer cookie with referrer: http://myHostFed.mydomain.com/affwebservices/public/saml2sso

  [...]

  2021-05-10 16:57:13 DEBUG CookieHelper:- entering createRequestContextCookie
  2021-05-10 16:57:13 DEBUG CookieHelper:- Expiring the CHS context cookies
  2021-05-10 16:57:13 DEBUG CookieHelper:- leaving createRequestContextCookie
  2021-05-10 16:57:13 DEBUG RedirectServlet:- Redirecting to https://myHostFed.mydomain.com/affwebservices/public/saml2sso?SPID=https://mySP.myspdomain.com/saml/acs&RelayState=https%3A%2F%2FmySP.myspdomain.com%2Fsaml%2Facs&SAMLTRANSACTIONID=6a796e02-1365bc86-3f37cab4-d5c6cacf-95a499ea-58

 

Additional Information

 

(1)

    Configure Social Sign-on

      You can configure SiteMinder Federation (the federation system)
      to let users sign-on to a federated resource with their social
      networking credentials instead of the federation system
      credentials.

      The social sign-on feature consists of the following features:
      
      - Authentication of users using an OAuth authorization server such
        as Facebook so that users can sign-on to a federated resource
        using their OAuth authorization server credentials.

      - Configuration of a credential selector page that provides users
        with various identity providers such as SAML 2.0 or Facebook as
        authentication choices. Users can choose an identity provider
        for authorization to sign-on to a federated resource.

      The features are independent of each other and you can configure
      the federation system to implement either or both the features.

    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/partnership-federation/configure-social-sign-on.html