SiteMinder : Proxy/LoadBalancer and backend Web Agent
search cancel

SiteMinder : Proxy/LoadBalancer and backend Web Agent

book

Article ID: 260487

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder) CA Single Sign On Secure Proxy Server (SiteMinder) SITEMINDER CA Single Sign On Federation (SiteMinder)

Issue/Introduction

How the Web Agent behaves when it sits behind a Load Balancer or a Proxy and how to configure it correctly?    

[Browser] ----(https://_host1._domain._com/protected/)----> Proxy/LB ----(http://_back1._domain._com:8080/protected/)----> Web Server(integrated with Web Agent)
----(https://_login._domain._com/siteminderagent/forms/login.fcc?TARGET=http://_back1._domain._com:8080/protected/)----> Browser

 
Above is a typical behavior when the browser requests a protected resource.

The request goes to the Proxy/LB using HTTPS.

The Proxy/LB is terminating the SSL and sends an HTTP request to the backend web/app server.

Web Agent finds no valid session so the browser is redirected to a credential collector URL and at this point, the TARGET is exposing the backend server.

The browser may not resolve '_back1._domain._com' so the browser is unable to redirect to the desired application after successful authentication.

 

Environment

 

Release : All SiteMinder versions

 

Cause

This is by design.

 

Resolution

There are a few requirements that need to be satisfied before the Web Agent can construct the desired TARGET URL.

  1. Proxy/LB preserving/passing HOST header to backend
  2. HTTPSPorts and GetPortFromHeaders ACO parameter

httpsports ACO parameter has a unique purpose and that is to construct the redirect TARGET query parameter value to be HTTPS in case the incoming request was using HTTP.   

This is required in a use case where there is a proxy/load balancer in front of the web server (which has webagent integrated).

The proxy/LB may act as an SSL offloader/terminator.

That means the browser may be sending "HTTPS://_host1._domain._com/protected/" request but the proxy/LB will then send an HTTP request to the backend web server.

The webagent may find this resource is "Protected" and no valid session (SMSESSION) was received so it has to redirect the request(browser) to the credential collector.

Let's say the configured authentication scheme is going to "https://_cred._domain._com/siteminderagent/forms/login.fcc".

Then the agent will construct a TARGET which is the initial request it received for the protected resource and this is where things get tricky because although the browser requested for "https://_host1._domain._com/protected/", what the web agent received was "http://_back1._domain._com:8080/protected/".

  1. HTTPS vs HTTP
  2. HTTP_HOST is "_back1._domain._com:8080"

Based on the received request, this webagent constructs the following TARGET value.

{http}://{http_host}{uri}

So it becomes "http://_back1._domain._com:8080/protected/"

This gets appended to the credential collector URL so it becomes.... (this is for illustration purposes so it is excluding a lot of other unnecessary info).

"https://_cred._domain._com/siteminderagent/forms/login.fcc?TARGET=http://_back1._domain._com:8080/protected/"

The user will submit a username and password to authenticated and then redirect to the originally requested URL but it does not because the target was not constructed to the desired value.

When the browser tries to redirect to the TARGET it may not even resolve the "_back1._domain._com" hostname and the port 8080 may not be open to the internet.

To resolve this proxy/LB use case, the httpsports ACO parameter was introduced.

HttpsPorts=8080

This goes with "getportfromheaders=YES" so you should set both.

HttpsPorts=8080
getportfromheaders=YES

By specifying port 8080 (the web server port where the webagent is integrated is listening on), now the webagent knows it should construct the TARGET with "HTTPS" if the request comes into HTTP port 8080.

So it now constructs the TARGET to be as below.

"https://_cred._domain._com/siteminderagent/forms/login.fcc?TARGET=https://_back1._domain._com:8080/protected/"

But this does not solve the hostname issue. This HTTP_HOST value("_back1._domain._com:8080") is something the proxy/LB used when connecting to the backend web server.

The proxy/LB should preserve the HTTP_HOST value and pass it to the backend web server.

In the case of Apache, refer to its documentation on how to pass the host header to the backend (1).

In case of using SiteMinder Access Gateway as the Proxy then you will need to update the server.conf as below and restart the service.

From:

<VirtualHostDefaults>
    # default session scheme
    defaultsessionscheme="default"
    enablerewritecookiepath="no"
    enablerewritecookiedomain="no"
    enableproxypreservehost="no"
    filteroverridepreservehost="no"

To:

<VirtualHostDefaults>
    # default session scheme
    defaultsessionscheme="default"
    enablerewritecookiepath="no"
    enablerewritecookiedomain="no"
    enableproxypreservehost="yes"
    filteroverridepreservehost="no"

All proxy/LB would have this feature available by nature.

Now that the proxy/LB is passing the HOST header to the backend and httpsports is configured, webagent will now construct the TARGET as below.

{https}://{http_host}{uri}
https://_host1._domain._com/protected/

So the full URL redirecting to the credential collector would be:

"https://_cred._domain._com/siteminderagent/forms/login.fcc?TARGET=https://_host1._domain._com/protected/"

Note: "httpsports" ACO parameter goes with the "getportfromheaders=yes" aco parameter as the port number is included in the HOST header value so when using httpsports you should also set getportfromheaders.

 

Additional Information

 

(1)

    ProxyPreserveHost Directive
    

Powered by Wolken Software