Satish SatishSharma
There are 2 issues you need to be careful about.
As you apply Solution-A and then test the journey; you'd know if you are going to hit Issue-2 and therefore need Solution-B too inaddtion to Solution-1. If you don't encounter Issue-2 after applying Solution-A; you are lucky .
Issue-1 : handling redirects / return URLs.
Issue-2 : Content building URIs.
Solution-A
Kindly try adding these 2 parameters in the VirtualHost Tag in Server.conf.
#################################################################
Handling Redirects by Destination Servers
Some destination servers can respond to a request from the CA SiteMinder® SPS with a redirection.
Icon
Note: A redirection that is the result of a request to the CA SiteMinder® SPS is not the same as a redirect that occurs in a proxy rule. For information about a redirect in a proxy rule, see nete:redirect.
Because the redirection initiated by the destination server is likely to a server behind the DMZ, the URL specified in the redirection results in an error. However, you can include parameters in a virtual host configuration that substitute the virtual host server name and port number in place of a redirect from a destination server.
To substitute the virtual host server and port for redirect writing, configure the following:
- enableredirectrewrite
Enables or disables redirect rewriting. If this directive is set to a value of yes, the URL for a redirect initiated by a destination server is examined by the CA SiteMinder® SPS. If the redirect URL contains a string found in the list of strings specified in the associated redirectrewritablehostnames parameter, the server name and port number of the redirect are replaced by the server name and port number of the virtual host. If the parameter is set to a value of no, any redirects initiated by destination servers are passed back to the requesting user. - redirectrewritablehostnames
Contains a comma-separated list of strings that the CA SiteMinder® SPS searches for when a redirection is initiated by a destination server. If any of the specified strings are found in the server or port portion of the redirect URL, the CA SiteMinder® SPS substitutes the name and port number of the virtual host for the server name and port portion of the redirect URL. If you specify a value of "ALL" for this parameter, the CA SiteMinder® SPS substitutes the server name and port number of the virtual host for all redirects initiated by the destination server.
For example, consider a virtual host configuration in the server.conf file that contains the following parameters:
<VirtualHost name="sales">
hostnames="sales, sales.company.com"
enableredirectrewrite="yes"
redirectrewritablehostnames="server1.internal.company.com,domain1.com"
</VirtualHost>
When a user makes a request from http://sales.company.com:80, the CA SiteMinder® SPS forwards the request to a destination server according to proxy rules. If the destination server responds with a redirect to server1.internal.company.com, the redirect is rewritten before being passed to the user as sales.company.com:80.
#################################################################
So your VH Config should look like this...
<VirtualHost name="SP1">
hostnames="sps1, sps1.ca.com"
enableredirectrewrite="yes"
redirectrewritablehostnames="idm1.ca.com"
</VirtualHost>
<VirtualHost name="SP2">
hostnames="sps2, sps2.ca.com"
enableredirectrewrite="yes"
redirectrewritablehostnames="idm2.ca.com"
</VirtualHost>
This should fix the return response URL.
Solution-B
However it would still not fix any hardcoded CSS or JS which gets loaded internally by the Application logic on IDM UI as part of Page Build. The only way this could be fixed is by telling Application Logic to build URI logic using a particular external FQDN (i.e. Proxy FQDN) instead of local FQDN. I have done many project with Secure Proxy Server and Enterprise Application Servers (SharePoint Server and PeopleSoft) as backend. We always had to make change in the Enterprise Application Server layer to make the backend server aware that it now needs to start building URI's using an External FQDN.
I don't know how in IDM we support this i.e. if you encounter Issue-2.
Regards
Hubert