Introduction / Summary:
- This is based on CA Single Sign-On version R12.52SP1 but this should be generic and not limited to specific version.
- This is based on SOI 3.1 but newer versions should work the same.
- This article only covers the part on how to configure the ASF Apache proxy and CA Single Sign-On Realm setting as this is where customers are facing double challenge and fail to SSO.
Instructions:
- Prerequisites:
* CA SSO and CA SOI are both configured and integrated for SSO.
* ASF Apache Proxy Server is CA SSO enabled.
* SOI is accessible via http://soi.kim.net.my:7070/sam
* Proxy server is accessible via http://soi.kim.net.my
- Following is how the ASF Proxy Server need to be configured.
Apache Proxy Setting for SOI |
---|
ProxyRequests off ProxyPreserveHost on
<Location /sam> ProxyPass http://soi.kim.net.my:7070/sam ProxyPassReverse http://soi.kim.net.my:7070/sam </Location>
<Location /sam/admin> ProxyPass http://soi.kim.net.my:7090/sam/admin ProxyPassReverse http://soi.kim.net.my:7090/sam/admin </Location>
<Location /sam/debug> ProxyPass http://soi.kim.net.my:7090/sam/debug ProxyPassReverse http://soi.kim.net.my:7090/sam/debug </Location> |
To get access to SOI, visit http://soi.kim.net.my/sam/ui and you get access to the backend SOI
Following are some additional proxy url for troubleshooting
http://soi.kim.net.my/sam/admin
http://soi.kim.net.my/sam/debug
- Following is the resource filter that need to be protected by CA Single Sign-On.
CA Single Sign-On side realm resource filter |
---|
/sam/ui |
You can choose your preferred Authentication Scheme to protect this URI.
You MUST NOT protect "/sam" from CA Single Sign-On.
You do not need to create a separate realm to unprotect this, just create a realm only for "/sam/ui" and that is sufficient.
With this configuration, you will not be double challenged.
Additional Information:
In case if you were proxying /sam from apache and also protecting /sam from CA Single Sign-On, you get challenged as below when accessing "console".
1st challenge (in this sample, I used Basic Authentication Scheme from CA Single Sign-On)
<Please see attached file for image>
2nd challenge
<Please see attached file for image>
3rd challenge
<Please see attached file for image>
Exception
<Please see attached file for image>