1. The examples have us protect the /authazws/ URL. This requires us to include credentials in the request, in addition to requiring credentials in the JSON message. This seems a bit redundant, shouldn't a service used for Authentication be unsecure? Is the idea that the caller would use a different set of credentials than what they are calling in the service?
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/access-gateway-configuration/configuring-the-authentication-and-authorization-web-services.html
2. We want to use a virtual host that we stood up for /affwebservices/ for this /authazws/. The Access Gateway will not allow us to use the same virtual hosts for these 2 things. Is there a reason why this restriction is in place, and is there a way to remove that restriction, so that both can use the same Virtual host? Currently, for <VirtualHost name="default"> we have _login.example.com defined which is used by the /affwebservices. There is a separate <VirtualHost name="WebServicesAgentVirtualHost"> which has a different set of hostnames, and we can't use what is defined in the default.
3. We want to pass the return message in JSON. Currently, when we call the service using Content-Type=application/json, the response is in XML... Is there somewhere in the CA_AuthAZ process we can tell it to return JSON instead of xml formatting?
Policy Server 12.8 SP5 release
CA Access Gateway 12.8 SP5 release
Applicable to all the versions which are fully supported.
1. The examples have us protect the /authazws/ URL. This requires us to include credentials in the request, in addition to requiring credentials in the JSON message. This seems a bit redundant, shouldn't a service used for Authentication be unsecure? Is the idea that the caller would use a different set of credentials than what they are calling in the service?
------ Response:
Since the web service requests are at API level, for security purposes the webservices alone are protected, before a user request is processed.
This is to provide security to web services to avoid un-authorized user requests.
It is recommended to protect the web services in production.
2. We want to use a virtual host that we stood up for /affwebservices/ fo this /authazws/. The Access Gateway will not allow us to use the same virtual hosts for these 2 things. Is there a reason why this restriction is in place, and is there a way to remove that restriction, so that both can use the same Virtual host? Currently, for <VirtualHost name="default"> we have login.www.uprr.com defined which is used by the /affwebservices. There is a separate <VirtualHost name="WebServicesAgentVirtualHost"> which has a different set of hostnames, and we can't use what is defined in the default.
------ Response:
Kindly note that this functionality is working as expected and designed as of now. The SE Engineering team is planning to include this feature in the 12.8 SP8 (Upcoming) release so tentatively we can tell you that in 12.8.8 (12.8 SP8) this feature would be available.
3. We want to pass the return message in JSON. Currently, when we call the service using Content-Type=application/json, the response is in XML... Is there somewhere in the CA_AuthAZ process we can tell it to return JSON instead of xml formatting?
------ Response:
------ Please check the below snippet regarding the " SiteMinder Authentication and Authorization Web Service response in JSON format ":
As we are aware, we are NOT receiving the SiteMinder Authentication and Authorization Web Service response in JSON format and getting the response in XML format.
- Kindly note that we needed to have the header "accept" with the value of “application/json” in the request to the web service.
- Snippet for reference: