How to protect SOI using Apache Proxy Server (with CA Single Sign-On enabled)

book

Article ID: 36497

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Introduction / Summary: 

    - This is based on CA Single Sign-On version R12.52SP1 but this should be generic and not limited to specific version.

    - This is based on SOI 3.1 but newer versions should work the same.

    - This article only covers the part on how to configure the ASF Apache proxy and CA Single Sign-On Realm setting as this is where customers are facing double challenge and fail to SSO.

 

Instructions:

    - Prerequisites:

     * CA SSO and CA SOI are both configured and integrated for SSO.

     * ASF Apache Proxy Server is CA SSO enabled.

     * SOI is accessible via http://soi.kim.net.my:7070/sam

     * Proxy server is accessible via http://soi.kim.net.my

       

    - Following is how the ASF Proxy Server need to be configured.

Apache Proxy Setting for SOI

ProxyRequests off

ProxyPreserveHost on

 

<Location /sam>

                ProxyPass http://soi.kim.net.my:7070/sam

                ProxyPassReverse http://soi.kim.net.my:7070/sam

</Location>

 

 

<Location /sam/admin>

                ProxyPass http://soi.kim.net.my:7090/sam/admin

                ProxyPassReverse http://soi.kim.net.my:7090/sam/admin

</Location>

 

<Location /sam/debug>

                ProxyPass http://soi.kim.net.my:7090/sam/debug

                ProxyPassReverse http://soi.kim.net.my:7090/sam/debug

</Location>

 

To get access to SOI, visit http://soi.kim.net.my/sam/ui and you get access to the backend SOI

 

Following are some additional proxy url for troubleshooting

http://soi.kim.net.my/sam/admin

http://soi.kim.net.my/sam/debug

 

    - Following is the resource filter that need to be protected by CA Single Sign-On.

CA Single Sign-On side realm resource filter
/sam/ui

You can choose your preferred Authentication Scheme to protect this URI.

You MUST NOT protect "/sam" from CA Single Sign-On.

You do not need to create a separate realm to unprotect this, just create a realm only for "/sam/ui" and that is sufficient.

With this configuration, you will not be double challenged.

 

Additional Information:

In case if you were proxying /sam from apache and also protecting /sam from CA Single Sign-On, you get challenged as below when accessing "console".

 

1st challenge (in this  sample, I used Basic Authentication Scheme from CA Single Sign-On)

<Please see attached file for image>

2nd challenge

<Please see attached file for image>

3rd challenge

<Please see attached file for image>

Exception

<Please see attached file for image>

 

Environment

Release: ESPSTM99000-12.51-Single Sign On-Extended Support Plus
Component:

Attachments

1558722411958000036497_sktwi1f5rjvs16wfu.png get_app
1558722410196000036497_sktwi1f5rjvs16wft.png get_app
1558722408253000036497_sktwi1f5rjvs16wfs.png get_app
1558722406333000036497_sktwi1f5rjvs16wfr.png get_app