Symantec Access Management

Hello All,

We are planning to use SharePoint Provider Hosted Apps for SharePoint 2013.
We are using CA SiteMinder as access control.
As you may know, When adding an app to SharePoint, SharePoint will add an url to be used by this app in this form apprefix-{DYNAMIC_GUID}.appdomain.com. So we should register the apps urls as apprefix-*.appdomain.com.

Our team said that it can't be done with Siteminder as wildcard URLs are not allowed in the ACO (see attachement).

So my question is, has someone already used SharePoint Provider hosted apps in a network where SiteMinder is the access control. If yes, how have you configured the appdomain with siteminder??

Thanks in advance.
Regards,
Saf

Hi Saf,

Based on what I have read from Microsoft, what you described use case is more like 
SharePoint 2013 Hosted Apps, rather than SharePoint 2013 Provider Hosted Apps.
https://technet.microsoft.com/en-us/library/fp161236.aspx

These configuration steps result in example app URLs such as the following:
http://Apps-12345678ABCDEF.ContosoApps.com/sites/SiteName/App1Name/Pages/Home.aspx
https://Apps-3456789BCDEFG.ContosoApps.com/sites/SiteName/WebName/App2Name/Default.aspx

As you can see above, the host name can be wild card.
Yes, generally speaking siteminder does not take wildcard in configuration currently by design.

Please file a new idea if that is what you wish for. 

From siteminder side, base on some of use case others had. 
It supports passive request profile and honor wreply.
As such you can do it by configuring 1 partnership per URL.
Another option might be: switch from sharepoint hosted apps to provider hosted apps.

See run book at 

SAP Portal Services 

Thanks,

Hongxu

Hello HongXu,

Thank you for your reply.

We will investigate on what you have suggested; the passive request profile and wreply.

A small remark, it's SharePoint provider hosted apps, where sharepoint URL will be like contoso.com and app Urls will be like app-{GUID}.contoso-appdomain.com.

Thanks again for your help.

Regards,

Safouene

Hi safouene

Were you able to make any progress with that lead.

Thanks...

Hi liuho03

We too have a SharePoint Provider Hosted App that is unable to re-hydrate the user token that is received from SharePoint 2013 Site. Basically, Site Minder agents are setup at my client's location on the SharePoint 2013 front-end servers. The user is authenticated correctly and SharePoint site opens. But the moment user launches PHA app from SharePoint. It passes a user-context token to the PHA app. That app is unable to use that token to callback/access SharePoint data since the token is lost once it is received by the PHA app.

Unlike safouene's case, we only have one domain (e.g. testapp.contoso-app.com) that hosts the PHA web-app. So if wild-card certificates are not used then SiteMinder should not have any problems, as per above conversation. That is not holding true in our case. There are couple of apps that had to move away from Site Minder to a makeshift solution due to pressure from business team. We really would like to know if there are any case-studies or solutions around SharePoint PHA app integration with Site-Minder.

Thanks for your help...

Hi Pravin,

"The user is authenticated correctly and SharePoint site opens. But the moment user launches PHA app from SharePoint...", which means siteminder has done its primary task for authenticating a user. When navigating through the app, somehow "token is lost ", which is data redirect flow problem. Siteminder agent can play a role on this, but most often is due to client side customization, check fcc forms and POST preservation settings. 

You need to find out why token is lost, or which step/component triggers or is responsible for it.

BTW, this is not the same use case as original thread, you should open a new thread of discussion. 

Every integration solution can have its unique problems, with varies requirements from a business team, but I can not see why SiteMinder will prevent SharePoint PHA app integration unless we know the cause of it.

Hongxu

Will open a new thread with exact details. Much appreciate your quick response.

Hi,

I know this is a very old thread, but did you try to get it working with wreply parameter?