DX NetOps

 View Only
  • 1.  CA Performance Management SAML towards AD FS

    Posted Aug 06, 2020 10:04 AM
    Hello users,

    We are looking at integrating CA Performance Management with Microsoft AD FS with the Web Application Proxy on the front-end. To give our customers acces to the portal of PM.
    The problem is that the Portal has its own SSO application where you have to go over with SAML to authenticate which is running on a different port.

    But most of our customers won't allow there users to go out to port 8382 where the SSO is living.
    And when you try to reverse proxy it, the portal won't allow the request, since it is expecting it on a different port.

    So we have now build around it, and set the PC front-end on a different port that can be reverse proxy'd, and set the SSO portal on port 443.

    This brought us a step closer, but now we face the following.

    The AD FS IDP is removing the port from the UserAssertionService since 443 is the default HTTPS port.
    But CA PM is still expecting it to be there, so it gives the following error:
    ERROR | qtp1309003972-21 | 2020-08-06 14:27:07,172 | common.sso.saml2.UserAssertionService
    | Wrong destination. Expected: https://<url>:443/sso/saml2/UserAssertionService. Received: https://<url>/sso/saml2/UserAssertionService

    And we now still can't login.

    Has anybody have any experience with CA PM integrating with SAML and a reverse proxy? And how did you do this?

    Kind regards,
    Nick


  • 2.  RE: CA Performance Management SAML towards AD FS
    Best Answer

    Broadcom Employee
    Posted Aug 07, 2020 04:44 PM
    Nick,

    You note that "The AD FS IDP is removing the port from the UserAssertionService since 443 is the default HTTPS port."

    You note the port we recommend isn't acceptable.

    Is using port 443 a requirement?

    Is there an alternative port that would be acceptable for use here? Maybe one that wouldn't be dropped from the URL by AD FS IDP as a default/standard SSL port?

    Thanks,
    Mike


    ------------------------------
    Technical Support Engineer IV
    Broadcom
    ------------------------------



  • 3.  RE: CA Performance Management SAML towards AD FS

    Posted Aug 24, 2020 09:37 AM
    Hello Mike,

    The thing is. We are opening this towards our customers. And we can't ask our customers to open up port 8382 from there users to the internet.
    What would you recommend on this?

    Do you have any experience with this? Or do you know a way to use a reverse proxy before the PM front-end with SSO SAML hosting on only 443?

    Regards,
    Nick


  • 4.  RE: CA Performance Management SAML towards AD FS

    Broadcom Employee
    Posted Aug 24, 2020 03:05 PM
    You would need to configure the reverse proxy to check if the URL starts with https://PC:443/sso and send a request internally to SSO port on PC.  Any other URLs to PC service https://proxy:443/<url>.   The proxy handles sending the request and getting the response for the user, so user never actually has to goto 443 or 8382 on the real PC box.

    The external SSO port can be advertised as 443, but still run on 8382.  Non-customers could directly access https://PC:8382/sso/sign-in.jsp?SsoProductCode=pc to log into like the administrator account and bypass SAML2 logins.
    You can set the local override for SSO Port in SsoConfig to 443, I believe.

    Sorry, I have no idea how to configure the reverse proxy itself, but the above logic should work.


  • 5.  RE: CA Performance Management SAML towards AD FS

    Posted Aug 27, 2020 05:22 AM
    Hello Jeffrey,

    This gives us the following errors.
    That the IDP is not accepting the URL since it is on 443 and the assertion url is on 443.
    Or the SP (so that is CA PM) is not accepting the url since it is different than the expected url.



  • 6.  RE: CA Performance Management SAML towards AD FS

    Broadcom Employee
    Posted Aug 27, 2020 10:21 AM
    Do you have a support case still open for this??  You were working with Tom in support?

    Can we work further via support case on this?


  • 7.  RE: CA Performance Management SAML towards AD FS

    Posted Aug 27, 2020 10:26 AM
    No it was closed during my holiday.. 
    It was case nr 32144216 .


    I can open another case and mention you?

    Regards,
    Nick


  • 8.  RE: CA Performance Management SAML towards AD FS

    Broadcom Employee
    Posted Aug 27, 2020 02:41 PM
    Yes, please do.


  • 9.  RE: CA Performance Management SAML towards AD FS

    Posted Aug 28, 2020 02:13 AM
    Hi How about using port forwarding on your firewall?
    Regards
    Stephen

    Sent from my iPhone