search cancel

How to protect SOI using Apache Proxy Server (with CA Single Sign-On enabled)


Article ID: 36497


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On


Introduction / Summary: 

    - This is based on CA Single Sign-On version R12.52SP1 but this should be generic and not limited to specific version.

    - This is based on SOI 3.1 but newer versions should work the same.

    - This article only covers the part on how to configure the ASF Apache proxy and CA Single Sign-On Realm setting as this is where customers are facing double challenge and fail to SSO.



    - Prerequisites:

     * CA SSO and CA SOI are both configured and integrated for SSO.

     * ASF Apache Proxy Server is CA SSO enabled.

     * SOI is accessible via

     * Proxy server is accessible via


    - Following is how the ASF Proxy Server need to be configured.

Apache Proxy Setting for SOI

ProxyRequests off

ProxyPreserveHost on


<Location /sam>






<Location /sam/admin>





<Location /sam/debug>





To get access to SOI, visit and you get access to the backend SOI


Following are some additional proxy url for troubleshooting


    - Following is the resource filter that need to be protected by CA Single Sign-On.

CA Single Sign-On side realm resource filter

You can choose your preferred Authentication Scheme to protect this URI.

You MUST NOT protect "/sam" from CA Single Sign-On.

You do not need to create a separate realm to unprotect this, just create a realm only for "/sam/ui" and that is sufficient.

With this configuration, you will not be double challenged.


Additional Information:

In case if you were proxying /sam from apache and also protecting /sam from CA Single Sign-On, you get challenged as below when accessing "console".


1st challenge (in this  sample, I used Basic Authentication Scheme from CA Single Sign-On)

<Please see attached file for image>

2nd challenge

<Please see attached file for image>

3rd challenge

<Please see attached file for image>


<Please see attached file for image>



Release: ESPSTM99000-12.51-Single Sign On-Extended Support Plus


1558722411958000036497_sktwi1f5rjvs16wfu.png get_app
1558722410196000036497_sktwi1f5rjvs16wft.png get_app
1558722408253000036497_sktwi1f5rjvs16wfs.png get_app
1558722406333000036497_sktwi1f5rjvs16wfr.png get_app