Introduction / Summary: 

    - This is based on CA Single Sign-On version R12.52SP1 but this should be generic and not limited to specific version.

    - This is based on SOI 3.1 but newer versions should work the same.

    - This article only covers the part on how to configure the ASF Apache proxy and CA Single Sign-On Realm setting as this is where customers are facing double challenge and fail to SSO.

Instructions:

    - Prerequisites:

     * CA SSO and CA SOI are both configured and integrated for SSO.

     * ASF Apache Proxy Server is CA SSO enabled.

     * SOI is accessible via http://soi.kim.net.my:7070/sam

     * Proxy server is accessible via http://soi.kim.net.my

    - Following is how the ASF Proxy Server need to be configured.

To get access to SOI, visit http://soi.kim.net.my/sam/ui and you get access to the backend SOI

Following are some additional proxy url for troubleshooting

http://soi.kim.net.my/sam/admin

http://soi.kim.net.my/sam/debug

    - Following is the resource filter that need to be protected by CA Single Sign-On.

You can choose your preferred Authentication Scheme to protect this URI.

You MUST NOT protect "/sam" from CA Single Sign-On.

You do not need to create a separate realm to unprotect this, just create a realm only for "/sam/ui" and that is sufficient.

With this configuration, you will not be double challenged.

Additional Information:

In case if you were proxying /sam from apache and also protecting /sam from CA Single Sign-On, you get challenged as below when accessing "console".

1st challenge (in this  sample, I used Basic Authentication Scheme from CA Single Sign-On)

<Please see attached file for image>

2nd challenge

<Please see attached file for image>

3rd challenge

<Please see attached file for image>

Exception

<Please see attached file for image>