We have a need not to install CA siteminder webagent in the backend app and thinking of using SPS and tunnel this backend app traffic via CA SPS gateway and protect the app URL at SPS level so that we don't need to install webagent in the backend app. How do we protect if some one call backend app URL directing by invoking app hosting server URL (same URL that SPS will proxy forward) by passing required headers that SPS would provide to backend app ? Basically, how does back end app server will ensure that request came via SPS and user is authenticated ? This may be possible by having source IP check in backend app, but it is not reliable and difficult to maintain as we add more SPS servers or replace existing SPS server with new server.
Any suggestiongs ? Really appreciate your input.
There are couple of ways to deal with this.
We have recently discussed about the same requirement here :
What are the secure SiteMinder HTTP Header to pass to Protected Back-end Server (Jboss)
But let me put the main points that we discussed here as well :
For this you can refer to my recent blog post : Tech Tip : CA Single Sign-On :Policy Server::Encrypted Active Response
Hope this helps.
Ujwol's Single Sign-On Blog
Thanks, Ujwol. It is helpful.
Hi Chapati, just to add a little to what Ujwol wrote:
These are also possible:
Cheers - Mark
I faced the same challenges with a centralized SPS server. I would like to share a solution which I implemented.
How to protect java web application hosted on Jboss EAP with CA Single Sign On
OR you can also refer,What are the secure SiteMinder HTTP Header to pass to Protected Back-end Server (Jboss)