Hi, I want to use form based authentication to authenticate to our IDP for a federation partnership. SPS is being used as Federation Gateway. Is it possible to use the same SPS server to host Form based login page, like other webagents?
I noticed there is a examples/forms/login.fcc shipped with the product. I copied that folder to Tomcat/webapps and tried to access one of the .fcc pages but I get a message saying:
Server Error: Server was unable to process your request.
Is there something I can do to tell Tomcat on how to process this specific file type? Or Should I move this login process to front end apache level? Appreciate any insights.
I do not see conflict between using SPS Federation Gateway as regular agent, but per documentation, there are limitations:
"Limitations of the CA SiteMinder® SPS Federation Gateway
Note the following limitations when using the CA SiteMinder® SPS federation gateway:--The prefilters and postfilters (both built-in and custom-configured) do not execute when federation resources are being requested. For non-federated requests that are fired for the default context, these filters execute as usual.--Proxy rules do not execute when federated resources are being requested. For non-federated requests that are fired for the default context, these rules execute as usual.
This indicates SPS as Federation Gateway does handle non-federated requests.
You may have to introduce configuration change in proxyrules.xml to make that happen.
By default, I think the login page is at ~/proxy-engine/examples/forms/login.fcc, if you want to change the look and feel, no problem. However if you change the default location, there are other setting needs to be changed as well, such as document_root defined under server.conf.
There is a section in SPS "Modify the Default Location of the SiteMinder Forms", a bit old, but give you an idea what may required when you do that. "Note: If you customize the location of the forms folder, ensure that you update the httpd.conf file with the location of the forms images. "
Depending on how much customization you would get into, CA service can always be an option if you are stuck.
Hope this helps.
As Hongxu pointed out , you can use SPS agent as any normal agent. and yes, it does support hosting its login.fcc (and other fcc) on it's own. You don't need to copy/move any files.
Just using the default configuration should be sufficient.
Thank You both.
I created an auth scheme with default settings. I get redirected to the login page in the URL bar as defined in SM authentication scheme. However browser renders the following message:
does nt show anything else.
Appreciate any input.
The error SM-SPS-02001 is generic and means a configuration error.
Probably due to virtual host configuration.
Something else that you can do is to check is.
1. hostname : http://hostnameurlDo you have the corresponding Virtual host definition ?
2. Check that the WebAgent.conf has the correct pluggin loaded
3.Enable Logging to debug
You may check the following community thread for other similar issues:
Thanks HongXu. was not aware that SM-SPS-02001 is config error. Good to know that for future. Thank you very much for such timely response.
Anything in the webagent trace log, server.log ?
Webagent trace clearly shows that it failed to server login.fcc. There is no login.fcc in the default folder for SPS , it should be chslogin.fcc. Updated Auth scheme with correct name and all is well now.