Call to the VIP AuthHub token endpoint through HTTP Proxy from SPS
search cancel

Call to the VIP AuthHub token endpoint through HTTP Proxy from SPS

book

Article ID: 263511

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Secure Proxy Server (SiteMinder)

Issue/Introduction

 

When running CA Access Gateway (SPS), how to configure it to use a Proxy when reaching the VIP Authhub?

This Proxy access will be in use in sequence 13 from the documentation (1):    

"Sends Authorization Code in POST REST API (backchannel) request for id_token"

Cause

 

This functionality is not yet available in the official SiteMinder version 12.8SP7.

 

Resolution

 

Internal build allows the CA Access Gateway (SPS) to reach AuthHub through a Proxy. Internal documentation gives instructions to configure "Use Proxy for Administrative UI Communication" and "Use Proxy for Access Gateway Communication" with that unique build (2).

The internal build is available here:

\\itc-polariskits.dhcp.broadcom.net\kits\unverified-siteminder-kits\dhruva\sm-ah-drop-9\sm-ah-drop-9-2947-drop10-DontDelete\Drop10Kits
adminui-pre-req-12.8-sp07-rhas64.bin
adminui-pre-req-12.8-sp07-win64.exe
ca-adminui-12.8-sp07-rhas64.bin
ca-adminui-12.8-sp07-win64.exe
ca-proxy-12.8-sp07-rhas64.bin
ca-proxy-12.8-sp07-win64.exe
ca-ps-12.8-sp07-rhas64.bin
ca-ps-12.8-sp07-win64.exe
layout-win.properties
layout.properties
smreg-win.exe
smreg

Upgrade all the components to this build number. Upgrade the Policy Store too.

Another option is making the other path publicly available as well, but adding WAF rules to restrict source IP to CA Access Gateway (SPS)'s IP addresses. Update the Firewall to allow CA Access Gateway (SPS)'s IP to access ELB's IP, but this would be covered by WAF.

 

Additional Information

 

(1)

    Integration with VIP Authentication Hub
    

(2)

    Configure the Integration
    

Powered by Wolken Software