Introduction / Summary:
- This is based on CA Single Sign-On version R12.52SP1 but this should be generic and not limited to specific version.
- This is based on SOI 3.1 but newer versions should work the same.
- This article only covers the part on how to configure the ASF Apache proxy and CA Single Sign-On Realm setting as this is where customers are facing double challenge and fail to SSO.
* CA SSO and CA SOI are both configured and integrated for SSO.
* ASF Apache Proxy Server is CA SSO enabled.
* SOI is accessible via http://soi.kim.net.my:7070/sam
* Proxy server is accessible via http://soi.kim.net.my
- Following is how the ASF Proxy Server need to be configured.
|Apache Proxy Setting for SOI|
To get access to SOI, visit http://soi.kim.net.my/sam/ui and you get access to the backend SOI
Following are some additional proxy url for troubleshooting
- Following is the resource filter that need to be protected by CA Single Sign-On.
|CA Single Sign-On side realm resource filter|
You can choose your preferred Authentication Scheme to protect this URI.
You MUST NOT protect "/sam" from CA Single Sign-On.
You do not need to create a separate realm to unprotect this, just create a realm only for "/sam/ui" and that is sufficient.
With this configuration, you will not be double challenged.
In case if you were proxying /sam from apache and also protecting /sam from CA Single Sign-On, you get challenged as below when accessing "console".
1st challenge (in this sample, I used Basic Authentication Scheme from CA Single Sign-On)
Release: ESPSTM99000-12.51-Single Sign On-Extended Support Plus