Symantec Access Management

Hello Everyone,

Has anyone implemented apache basic authentication feature along with siteminder authentication.

We have a business requirement where customer wants apache basic authentication to be enabled for a resource and siteminder authentication should also work.

Here is the use case:

1. I have a resource /mobile/htmlsso.jsf fully protected and /mobile/index.jsf anonymous protected.

2. There are few resources for e.g. /mobile?partnerid=80company=test on which apache basic prompt is enabled.

3. There are few more resource with basic prompt enabled, just that their query parameter value will get changed.

4. Now, with siteminder agent not installed, when user access /mobile/index.jsf he doesn't get basic prompt and when he access /mobile?partnerid=80company=test, he gets apache basic prompt which is correct as per conditions.

5. When siteminder is enabled, if we hit /mobile/index.jsf it shows up the apache prompt where as conditions of query parameters like partnerid=80 is not matching. Also /mobile/index.jsf is anonymously protected. So showing up prompt is not the correct behaviour with siteminder enabled.

6. Further if we give basic creds on that pop and then try to do login on resource /mobile/htmlsso.jsf which is fully protected with siteminder, siteminder login doesn't work, it just hangs up in the browser and nothing comes up which is really strange.

7. From the agent logs it appears that it only checked if /mobile/htmlsso.jsf is protected and collecting credentials but nothing apart from that.

8. When we hit /mobile/index.jsf, and pop-up appears, only logs we see is it is anonymously protected, nothing else.

I know the basic prompt feature of apache can also be fullfilled with siteminder but customer wants this apache pop-up to be enabled as they have some restrictions.

I want to know if anyone has worked on a case where apache prompt and siteminder login both are working. If yes, please share your views on this. if you need any info, I will be able to provide you.

Regards,

Neeraj

You need to clarify something.  When you say "anonymously protected", do you mean "unprotected"?  This is important.

Also, there is a big difference between /mobile/index.jsf and /mobile?partnerid=80company=test

protecting/unprotecting one resource will not have the same behavior on the other resource.

/mobile?partnerid=80company=test should be its own separate resource, IMHO, with the protection set as desired (in SiteMinder).

Also, the ACO should have the parameter IgnoreQueryData set to "no" so the URL /mobile?partnerid=80company=test will be evaluated as a complete resource and not chopped off after the question mark.

Hi Mike,

Thanks for the response.

When I say anonymous, it means we have an anonymous realm with resource "/mobile/index.jsf". We send headers on this resource which will be anonymous if user is not logged in and will have some values if user is already logged in Single sign on case. It is not unprotected.

IgnoreQueryData is set to "no" in ACO.

Problem that we face is if we hit /mobile?partnerid=80&company=test, in siteminder configurations it is neither fully protected nor anonymously protected, so agent should consider it as unprotected resource and allow it to go through so that apache basic authentication can does the authentication properly. And moreover /mobile/html_sso.jsf is fully protected and does not meet the criteria of showing apache prompt then also it shows pop-up. It only happens when siteminder is enabled.

let me know if any suggestions.

Hi NeerajChase

I suspect this related to how you configure realm and rule. If you have Siteminder test tool, what is the isProtected result when you access

/mobile/index.jsf

/mobile?partnerid=80&company=test

I think the Resource Filter in the realm should be /mobile/, follow by rule under the realm as *. The effective resource is something like AgentGroup/mobile/*

In that case, the "/mobile?partnerid=80&company=test" should return "Not Protected" and apache basic authentication should take place from there.

Hope this helps.

Regards,

Kar Meng

Hi Kar Meng,

I have tried the option which you have listed. The issue in this is if I access /mobile/index.jsf (which is protected with anonymous realm), I get the apache prompt even if conditions are not met. Which is wrong.

It shows apache prompt on literally each resource for e.g. /mobile/index.jsf , /mobile/html_sso.jsf etc. Even if it comes, after giving credentials, it doesn't work along with siteminder.

Regards,

Neeraj

Hi Neeraj,

Thanks for your update. I presume the apache prompt is not Siteminder login prompt. Can you confirm if the apache basic prompt is from Apache web server but not Siteminder? In general, if the basic prompt is from Siteminder, you will see the realm name.

If the basic prompt is from Apache, then we might need to get some assistance from Apache support to understand on why after enable Siteminder web agent , the apache basic prompt get trigger even access resource not configure to apache basic prompt.

I don't have much experience on configure apache basic prompt. Can you share some infomration on how this being configured?

Did you test with Siteminder test tool after you configure the Siteminder realm to check on if each resource is protected by Siteminder or not? In this case, we can isolate if Siteminder incorrect protect the resource causing the issue or due to some other reason.

Regards,

Kar Meng