Background:  IM r14.3cp2 vApp with SiteMinder integrated with F5 / Apache Web Servers.   No tight integration on the vApp.

GOAL:  Use F5 URL to provide load balancing to all four (4) IME servers instead of a single IME host with the current failover configuration.

Current Documentation:   

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-suite/14-3/virtual-appliance/integrating-ca-identity-manager-with-ca-single-sign-on-using-virtual-appliance.html

GAP:   No documentation on managing the IME Callback URL with https and siteminder.

Observation:  Using the debug log level with Provisioning Server configuration for the IM Manager Setup,  we see the redirect occur successful with https (using correct root certificates), when the URL is intercepted by Siteminder agent, the IME Callback fails and advances to the next failover URL in the list.

Request:   Process to integration with Siteminder projected URL with the IME Callback URL.  

Release : 14.3

Component :

This was discussed, there is nothing in our documentation that speaks to protecting the ETACALLBACK url with SSO.

it is protected by end to end encryption and requires a shared secret that is encrypted at time of installation.

My suggestion and agreed to and suggested by Alan is to follow:

I suspect we need to add a 2^nd resource URL to the existing Siteminder domain.

• Where the default proxy rule is the URI resource of:   /iam/im/*     to use NTLM authentication.
• We would add a prior rule with the URI resource of:   /iam/im/ETACALLBACK/*   to not use NTLM authentication.