Symantec Access Management

  • 1.  CA SSO Secure Proxy Server - HTML Form authentication

    Posted Jul 13, 2016 05:46 AM

    Hello,

     

    We have created a simple proxyrule for forwarding a URL to a webserver, the authentication scheme is working fine for the Basic Template but when we try to use the  HTML Form template we cannot access the webserver and we get the error "web page cannot be found".

     

    Is there any additional configuration that must be done for the HTML Form, beside the creation of the Authentication Scheme & the change to the application?

     

    Thank you in regards!



  • 2.  Re: CA SSO Secure Proxy Server - HTML Form authentication

    Broadcom Employee
    Posted Jul 13, 2016 06:05 AM

    Hi,

     

    I suppose you encountered an HTTP 404 error. This would be due to incorrect physical path to login.fcc.

     

    Here is a workaround :

    Copy a folder <secure-proxy>/proxy-engine/examples/forms

    under <secure-proxy>/proxy-engine/examples/siteminderagent.

     

    Hope this would help.

     

    Regards,

    Koichi



  • 3.  Re: CA SSO Secure Proxy Server - HTML Form authentication

    Posted Jul 13, 2016 07:59 AM

    Dear Koichi,

     

    Thank you for your answer, we did the change of the folder, but we still get the same error (HTTP 404).

     

    The login.fcc file is not at the secure proxy server but at a third server in which we have installed the Web Agent,  also we have choose at the Scheme Setup not to use Relative Target but the third Web Server.

     

     

    Is it possible to use this third server for the html authentication ?

     

    BR,



  • 4.  Re: CA SSO Secure Proxy Server - HTML Form authentication

    Posted Jul 13, 2016 06:13 PM

    By virtue of doing this "choose at the Scheme Setup not to use Relative Target but the third Web Server" we are doing a 302 redirect outside the CA Access Gateway. Thus CA Access Gateway login.fcc would not be used and we expose the third webserver URL on the browser. I hope we understand that.

     

    Did we check where are we getting a 404. We have not stated in this blog at which juncture is the 404. Is it when CA Access Gateway issues a 302 to http://thirdwebserver-webagent.com/siteminderagent/login.fcc OR post authentication the third webserver sends the redirect back to CA Access Gateway to proxy the request to backend WebServer configured within the proxy rules.

     

    Regards

    Hubert



  • 5.  Re: CA SSO Secure Proxy Server - HTML Form authentication

    Posted Jul 14, 2016 06:41 AM

    Hello,

     

    Are you seeing the final redirect to FCC if you are using an HTTP header tool like fiddler ?

    Are you seeing anying in the WebServer where the login.fcc is located ? Check the access.log and error.log for Apache Webserver. Do you have the correct alias defined ?

     

    In the sample below, my Webagent is installed under /opt/CA/WA1252SP1CR04

    extract of my httpd.conf

     

    Alias /siteminderagent/pwcgi/ "/opt/CA/WA1252SP1CR04/webagent/pw/"

    <Directory "/opt/CA/WA1252SP1CR04/webagent/pw/">

    Options Indexes MultiViews ExecCGI

    AllowOverride None

    Require all granted

    </Directory>

    Alias /siteminderagent/pw/ "/opt/CA/WA1252SP1CR04/webagent/pw/"

    <Directory "/opt/CA/WA1252SP1CR04/webagent/pw/">

    Options Indexes MultiViews ExecCGI

    AllowOverride None

    Require all granted

    </Directory>

    Alias /siteminderagent/ "/opt/CA/WA1252SP1CR04/webagent/samples/"

    <Directory "/opt/CA/WA1252SP1CR04/webagent/samples/">

    Options Indexes MultiViews

    AllowOverride None

    Require all granted

    </Directory>

     

    Default target for the auth scheme : /siteminderagent/forms/login.fcc

     

    Hope if helps,

    Julien.



  • 6.  Re: CA SSO Secure Proxy Server - HTML Form authentication
    Best Answer

    Broadcom Employee
    Posted Jul 15, 2016 02:16 PM

    Please review the following technote TEC1977406 on why you are see error 404 -

    How to fix the deployment location of login pages on CA Access Gateway (formerly SPS Secure Proxy Server)

    The CA Access Gateway (formerly CA SPS - Secure Proxy Server) once installed does not install the template login files in the place normally expected by default authentication schemes.  This article shows you how to move them to the expected location.