Layer7 Access Management

Expand all | Collapse all

Form Based authentication for SPS

Jump to Best Answer
  • 1.  Form Based authentication for SPS

    Posted 01-03-2017 02:09 PM

    Hi, I want to use form based authentication to authenticate to our IDP for a federation partnership. SPS is being used as Federation Gateway. Is it possible to use the same SPS server to host Form based login page, like other webagents?

    I noticed there is a examples/forms/login.fcc shipped with the product. I copied that folder to Tomcat/webapps and tried to access one of the .fcc pages but I get a message saying: 

     

    Server Error: Server was unable to process your request.

     

    Is there something I can do to tell Tomcat on how to process this specific file type? Or Should I move this login process to front end apache level? Appreciate any insights.



  • 2.  Re: Form Based authentication for SPS

    Posted 01-03-2017 04:35 PM

    Hi Anil,

     

    I do not see conflict between using SPS Federation Gateway as regular agent, but per documentation, there are limitations:

     

    "Limitations of the CA SiteMinder® SPS Federation Gateway

    Note the following limitations when using the CA SiteMinder® SPS federation gateway:
    --The prefilters and postfilters (both built-in and custom-configured) do not execute when federation resources are being requested. For non-federated requests that are fired for the default context, these filters execute as usual.
    --Proxy rules do not execute when federated resources are being requested. For non-federated requests that are fired for the default context, these rules execute as usual.

    "

    This indicates SPS as Federation Gateway does handle non-federated requests.

    You may have to introduce configuration change in proxyrules.xml to make that happen.

     

    By default, I think the login page is at ~/proxy-engine/examples/forms/login.fcc, if you want to change the look and feel, no problem. However if you change the default location, there are other setting needs to be changed as well, such as document_root defined under server.conf.

     

    There is a section in SPS "Modify the Default Location of the SiteMinder Forms", a bit old, but give you an idea what may required when you do that. "Note: If you customize the location of the forms folder, ensure that you update the httpd.conf file with the location of the forms images. "

     

    Depending on how much customization you would get into, CA service can always be an option if you are stuck.

     

    Hope this helps.

     

    Hongxu



  • 3.  Re: Form Based authentication for SPS

    Posted 01-03-2017 07:21 PM

    As Hongxu pointed out , you can use SPS agent as any normal agent. and yes, it does support hosting its login.fcc (and other fcc) on it's own. You don't need to copy/move any files.

     

    Just using the default configuration should be sufficient.



  • 4.  Re: Form Based authentication for SPS

    Posted 01-04-2017 12:38 PM

    Thank You both.

     

    I created an auth scheme with default settings. I get redirected to the login page in the URL bar as defined in SM authentication scheme. However browser renders the following message:

     

    SM-SPS-02001

     

    does nt show anything else.

     

    Appreciate any input.



  • 5.  Re: Form Based authentication for SPS

    Posted 01-04-2017 04:45 PM

    The error SM-SPS-02001 is generic and means a configuration error.

    Probably due to virtual host configuration.

    Something else that you can do is to check is.

    1. hostname : http://hostnameurl
    Do you have the corresponding Virtual host definition ?

    2. Check that the WebAgent.conf has the correct pluggin loaded

    HttpPlugin.dll
    SPSPlugin.dll

    3.Enable Logging to debug

    authaz-log4j.xml

     

    You may check the following community thread for other similar issues:

    https://communities.ca.com/thread/241726246

     

    Hongxu



  • 6.  Re: Form Based authentication for SPS

    Posted 01-04-2017 05:51 PM

    Thanks HongXu. was not aware that SM-SPS-02001 is config error. Good to know that for future. Thank you very much for such timely response. 



  • 7.  Re: Form Based authentication for SPS
    Best Answer

    Posted 01-04-2017 04:49 PM

    Anything in the webagent trace log, server.log ?



  • 8.  Re: Form Based authentication for SPS

    Posted 01-04-2017 05:50 PM

    Webagent trace clearly shows that it failed to server login.fcc. There is no login.fcc in the default folder for SPS , it should be chslogin.fcc. Updated Auth scheme with correct name and all is well now.