I have STS enabled in server.conf on CA Access Gateway (CA SPS)
There are multiple virtual hosts configured at the same server.conf. Where exactly STS is going to listen for, all VHs? How to assign to a specific VH?
I had a similar request recently with the federated apps on the SPS. Please review the solution in the following post.
CA SPS Federation Gateway Question
As you can see we handled the blocking of the inappropriate virtual host access with a auth scheme redirect to a static access denied page. We used agent group object to protect the realm associated with the federated app and applied the custom auth scheme to that realm. All VH on sps are using a upique Webagent.conf so we can use unique agent objects on SSO side. The appropriate virtual host is not in the agent group and not protected with this custom auth scheme and can access the app.
Thanks Hubert Dennis for the suggested method, it works great.
If you would like to see better delegation of these types of requests in the server.conf please upvote for my enhancement request here.
CA SPS - Block access to Federated Web Apps on Virtual Host Basis
Thanks Adam. You answered my question, STS seems will run on all VHs. I need to test it now.
Great thanks Vlad. Can you mark my answer as correct if you are satisfied with it?
Have a good one,
Hi Adam, I am still struggling to expose STS through any of Virtual hosts, that's why I didn't mark your answer as correct yet, kristen.malzone did :-).
CA support tells me not no use proxy rules to forward traffic to STS, but there are already proxy rules that forward traffic depending on a host name and URI. Without a rule STS is not reachable because other rules take control. In your federation services setup, do you have a specific condition in proxyrules to forward to Tomcat running the services?
For the federation gateway piece I do not have to define proxy rules to access the web apps. That was my initial struggle that the federated apps were all exposed through each of my virtual hosts which prompted me to open the ER and deploy the little work around.
At the enterprise producing assertions, federation requests are forwarded to the Tomcat server embedded in CA SiteMinder SPS. The Tomcat server hosts the FWS application. Proxy rules and filters have no relevance when the federation request gets processed.
For the STS,
Can we get a better understanding of what is happening by seeing some traces in your log files?
It was my wrong assumption. IE had a friendly error message setup, showing "Page not found" instead of "WS-Trust is available only via SOAP request". I assumed SPS could not find STS, but all is good now when a friendly error disabled.
Thanks Vlad for the confirmation. Glad you were able to access the resource. Are you able to access the STS resource from any of your Virtual hosts?
Yes, it is accessible from any Virtual host. Thanks for your help.
Thanks Vlad for the feedback. I would recommend you try the approach I used above for the federation apps if you need to restrict it to a single virtual host at this time until hopefully my enhancement request comes through.
Glad you were able to get this working.