Proxy/LoadBalancer and backend Web Agent
search cancel

Proxy/LoadBalancer and backend Web Agent

book

Article ID: 260487

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder) CA Single Sign On Secure Proxy Server (SiteMinder) SITEMINDER CA Single Sign On Federation (SiteMinder)

Issue/Introduction

This is to demonstrate how the Web Agent behaves when it sits behind a Load Balancer or a Proxy and how to configure correctly.

 

[Browser] ----(https://www.web.site/protected/)----> Proxy/LB ----(http://back1.web.site:8080/protected/)----> Web Server(integrated with Web Agent)
----(https://login.web.site/siteminderagent/forms/login.fcc?TARGET=http://back1.web.site:8080/protected/)----> Browser

 

Above is a typical behavior when the browser makes a request for a protected resource.

The request goes to the Proxy/LB using https.

The Proxy/LB is terminating the SSL and sending HTTP request to the backend web/app server.

Web Agent finds no valid session so the browser is redirected to a credential collector URL and at this point the TARGET is exposing the backend server.

The browser may not resolve 'back1.web.site' so the browser is unable to redirect to the desired application after successful authentication.

Environment

Release : All SiteMinder versions

Cause

This is by design.

Resolution

There are a few requirements that need to be satisfied before the Web Agent can construct the desired TARGET url.

1. Proxy/LB preserving/passing HOST header to backend
2. HTTPSPorts and GetPortFromHeaders ACO parameter

httpsports ACO parameter has a unique purpose and that is to contruct the redirect TARGET query parameter value to be HTTPS in case if the incoming request was using HTTP.

This is required in a use case where there is a proxy/loadbalancer in front of the web server(which has webagent integrated).

The proxy/LB may act as an SSL offloader/terminator.

That means the browser may be sending "HTTPS://www.web.site/protected/" request but the proxy/LB will  then send HTTP request to the backend web server.

The webagent may find this resource is "Protected" and no valid session(SMSESSION) was received so it has to redirect the request(browser) to the credential collector.

Let's say the configured authentication scheme is going to "https://creds.web.site/siteminderagent/forms/login.fcc".

Then the agent will construct a TARGET which is the initial request it received for the protected resource and this is where things get tricky because although the browser requested for "https://www.web.site/protected/", what the web agent received was "http://back1.web.site:8080/protected/".

1. HTTPS vs HTTP
2. HTTP_HOST is "back1.web.site:8080"

Based on the received request, this webagent constructs the following TARGET value.

{http}://{http_host}{uri}
So it becomes "http://back1.web.site:8080/protected/"

This gets appended to the credential collector URL so it becomes.... (this is for illustration purpose so it is excluding lot of other unnecessary info)

"https://creds.web.site/siteminderagent/forms/login.fcc?TARGET=http://back1.web.site:8080/protected/"

User will submit username and password to authenticated and then redirect to the originally requested URL but it does not because the target was not constructed to the desired value.

When browser tries to redirect to the TARGET it may not even resolve the "back1.web.site" hostname and the port 8080 may not be open to internet.

 

To resolve this proxy/LB use case, the httpsports ACO parameter was introduced.

HttpsPorts=8080

This goes with "getportfromheaders=YES" so you should set both.

HttpsPorts=8080
getportfromheaders=YES

 

By specifying the port 8080 (web server port where the webagent is integrated is listening on), now the webagent knows it should construct the TARGET with "HTTPS" if the request comes in to HTTP port 8080.

So it now constructs the TARGET to be as below.

"https://creds.web.site/siteminderagent/forms/login.fcc?TARGET=https://back1.web.site:8080/protected/"

 

But this does not solve the hostname issue. This HTTP_HOST value("back1.web.site:8080") is something the proxy/LB used when connecting to the backend web server.

The proxy/LB should preserve the HTTP_HOST value and pass it to the backend web server.

In case of Apache, you can refer to its documentation on how to pass the host header to the backend.

https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxypreservehost

In case if you are using SiteMinder Access Gateway as the Proxy then you will need to update the server.conf as below and restart the service.

From:
<VirtualHostDefaults>
    # default session scheme
    defaultsessionscheme="default"
    enablerewritecookiepath="no"
    enablerewritecookiedomain="no"
    enableproxypreservehost="no"
    filteroverridepreservehost="no"

To:
<VirtualHostDefaults>
    # default session scheme
    defaultsessionscheme="default"
    enablerewritecookiepath="no"
    enablerewritecookiedomain="no"
    enableproxypreservehost="yes"
    filteroverridepreservehost="no"

All proxy/LB would have this feature available by nature.

 

Now that the proxy/LB is passing the HOST header to the backend and httpsports is configurred, webagent will now construct the TARGET as below.

{https}://{http_host}{uri}

https://www.web.site/protected/

So the full URL redirecting to the credential collector would be:
"https://creds.web.site/siteminderagent/forms/login.fcc?TARGET=https://www.web.site/protected/"

 

Note: "httpsports" ACO parameter goes with "getportfromheaders=yes" aco parameter as the port number is included in the HOST header value so when using httpsports you should also set getportfromheaders.