Symantec Access Management

  • 1.  Using SPS as front end for IDM

    Posted Feb 18, 2015 01:02 AM

    Hi All,

     

    We are using SPS as web front end.

    We are using a load balancer in front of two SPS instances and then those two SPS instances will forward requests to a single node of IDM server (node 1 or node 2 which are in cluster)

    SPS1 will forward requests to IDM1

    SPS2 will forward requests to IDM2.

     

    IDM1 and IDM2 will be in cluster.

     

    We are able to forward requests from

    http://sps1.test.com/iam/im/index.jsp to http://IDM1.test.com/iam/im/index.jsp

    Which is exposing the IDM URL to the end user. We would like the URL to remain same after authentication.

    Because of the URL change above. the SMSession information is not getting passed to the IDM.

     

    Please help.

     

    Thanks,

    Satish



  • 2.  Re: Using SPS as front end for IDM
    Best Answer

    Posted Feb 18, 2015 03:58 PM

    Satish SatishSharma

     

    There are 2 issues you need to be careful about.

     

    As you apply Solution-A and then test the journey; you'd know if you are going to hit Issue-2 and therefore need Solution-B too inaddtion to Solution-1. If you don't encounter Issue-2 after applying Solution-A; you are lucky .

     

    Issue-1 : handling redirects / return URLs.

    Issue-2 : Content building URIs.

     

     

    Solution-A

     

    Kindly try adding these 2 parameters in the VirtualHost Tag in Server.conf.

     

    #################################################################

    Handling Redirects by Destination Servers

    Some destination servers can respond to a request from the CA SiteMinder® SPS with a redirection.

    Icon 

    Note: A redirection that is the result of a request to the CA SiteMinder® SPS is not the same as a redirect that occurs in a proxy rule. For information about a redirect in a proxy rule, see nete:redirect.

    Because the redirection initiated by the destination server is likely to a server behind the DMZ, the URL specified in the redirection results in an error. However, you can include parameters in a virtual host configuration that substitute the virtual host server name and port number in place of a redirect from a destination server.

    To substitute the virtual host server and port for redirect writing, configure the following:

    • enableredirectrewrite
      Enables or disables redirect rewriting. If this directive is set to a value of yes, the URL for a redirect initiated by a destination server is examined by the CA SiteMinder® SPS. If the redirect URL contains a string found in the list of strings specified in the associated redirectrewritablehostnames parameter, the server name and port number of the redirect are replaced by the server name and port number of the virtual host. If the parameter is set to a value of no, any redirects initiated by destination servers are passed back to the requesting user.
    • redirectrewritablehostnames
      Contains a comma-separated list of strings that the CA SiteMinder® SPS searches for when a redirection is initiated by a destination server. If any of the specified strings are found in the server or port portion of the redirect URL, the CA SiteMinder® SPS substitutes the name and port number of the virtual host for the server name and port portion of the redirect URL. If you specify a value of "ALL" for this parameter, the CA SiteMinder® SPS substitutes the server name and port number of the virtual host for all redirects initiated by the destination server.

    For example, consider a virtual host configuration in the server.conf file that contains the following parameters:

    <VirtualHost name="sales">

    hostnames="sales, sales.company.com"

    enableredirectrewrite="yes"

    redirectrewritablehostnames="server1.internal.company.com,domain1.com"

    </VirtualHost>

    When a user makes a request from http://sales.company.com:80, the CA SiteMinder® SPS forwards the request to a destination server according to proxy rules. If the destination server responds with a redirect to server1.internal.company.com, the redirect is rewritten before being passed to the user as sales.company.com:80.

    #################################################################

     

     

    So your VH Config should look like this...

     

    <VirtualHost name="SP1">

    hostnames="sps1, sps1.ca.com"

    enableredirectrewrite="yes"

    redirectrewritablehostnames="idm1.ca.com"

    </VirtualHost>

     

    <VirtualHost name="SP2">

    hostnames="sps2, sps2.ca.com"

    enableredirectrewrite="yes"

    redirectrewritablehostnames="idm2.ca.com"

    </VirtualHost>

     

    This should fix the return response URL.

     

     

    Solution-B

     

    However it would still not fix any hardcoded CSS or JS which gets loaded internally by the Application logic on IDM UI as part of Page Build. The only way this could be fixed is by telling Application Logic to build URI logic using a particular external FQDN (i.e. Proxy FQDN) instead of local FQDN. I have done many project with Secure Proxy Server and Enterprise Application Servers (SharePoint Server and PeopleSoft) as backend. We always had to make change in the Enterprise Application Server layer to make the backend server aware that it now needs to start building URI's using an External FQDN.

     

    I don't know how in IDM we support this i.e. if you encounter Issue-2.

     

     

    Regards

     

    Hubert



  • 3.  Re: Using SPS as front end for IDM

    Posted Feb 19, 2015 12:41 AM

    Hi @HubertDennis

     

    Thank you so much for writing on my post.

    That solution one which you have suggested has worked for us yesterday. We were able to find this information in the SPS documentation .

    Its great that the people here are more knowledgeable than CA Support.

     

    Thanks,

    Satish.