Symantec Access Management

Hi All,

  I am using SPS for federation services, I am trying to deploy affwebservices to something like

http://localhost/companyname/affwebservices/assertionretriever

or

http://localhost/affwebservices/companyname/assertionretriever

or

http://localhost/affwebservicescompanyname/assertionretriever

I tried to copy the content of affwebservices to various folders but that's not working and restarted SPS services, I am not sure if this is the correct way to deploy affwebservices.

I have also tried to add

enablefederationgateway="yes"

fedrootcontext="affwebservices"

fedrootcontext="companyname"

But did not helped

Please suggest.

Thank you

Hi Richard,

We should change fedrootcontext="companyname" and access like, http://localhost/companyname/assertionretriever

but only basic transactions might work, becuase in our code base we check for url verification, and it's hardcoded to affwebservices, so it may or may not work for all the transactions.

Thanks,

Sharan

Sharan, as you can see I have already tried that option but it didn't worked, The Idea of using format would help identifying which customer/Partner is hitting Federation services.

for instance http://localhost/companyA, http://localhost/companyB and further on.

Thank you

Hi Richard,

You could try below option to achieve this idea.

You can try with different host name for customer/Partner, So that you can able to track customer/partner based on the virtual host.

for customer, VH1 like http://vh1.xyz.com/affwebservices

for Partner, VH2 like http://vh2.xyz.com/affwebservices

Thanks,

Sharan

We don't want to do that, we know that's the option, but we want to identify using URI not VH "Virtual host"

Hi Richard,

As I mentioned before, In our code base we check for URL verification, and it's hardcoded to affwebservices, Hence it wont work if we modify the Context to something else.

Thanks,

Sharan

Richard

This is highly non standard and it does complicate the federation solution within SPS with deployment overheads. Not to mention this is something that CA Engineering does not test. Hence this is a non tested configuration. Also as mentioned the code base may have relative URI patterns which are hard coded.

The other alternative I may suggest is playing with proxyrules.xml and nete-case CONTAINS 'uri'. That way we map the frontend URI /companyname/affwebservices to /affwebservices in backend. Again this needs thorough testing for all SAML usecase that the customer needs. Atleast in this approach when proxyrules translate the URI, but the underlying /affwebservices remains in a single spot with the default URIs (that is my guess).

Regards

Hubert

Hi Richard,

Please check whether this approach would for you or not:

You can have folders and jsp's under affwebservices application without making any changes to Tomcat's base config files, however you may need to bounce the SPS service once.

Create a custom jsp file called "ssoredirect.jsp" and have the logic to filter/identify the company name and then post the saml request to the OOTB SAML IDP url.

Configuration may look like below:

Step:1

Location of custom jsp file: /opt/CA/secure-proxy/Tomcat/webapps/affwebservices/ssoredirect.jsp

Step:2

Change IDP metadata binding location to (SP has to post SAML request to the below url, instead of the OOTB url), also below url will acts as an IDP initiated url:

https://login.example.com/affwebservices/ssoredirect.jsp?SPID=sp.app1

Step:3

Have logic and perform string operations as per your requirement on the ssoredirect.jsp page.

Step:4

On the same custom page, construct url as below and redirect.

https://login.example.com/affwebservices/public/saml2sso?SPID=sp.app1

Note:

- You can have as many folders/subfolders and files under /affwebservices as per your requirement.

also You may need to take care of

- url encode/decode

- relay state value...etc.

Regards

Ashok

Thanks mutas02 will try to follow your suggestion,

Thanks HubertDennis I was think about proxyrules.xml, will try this option too. I under the requirement is not out of the box, I was trying to explore if someone in community have tried this approach and get some suggestions.