Symantec Access Management

Tech Tip : CA Single Sign-On : CA AGW Partnership federation/ configuration assistance would be needed for redirect

  • 1.  Tech Tip : CA Single Sign-On : CA AGW Partnership federation/ configuration assistance would be needed for redirect

    Posted 06-28-2018 03:52 AM

    Issue:

     

    I have installed CA Access Gateway (SPS) 12.7 and I'am testing for
    first time a Parnership Federation with Policy Server 12.7, so that CA
    Access Gateway (SPS) is acting as SAML2 IdP and myseconddomain
    http://www.myseconddomain.com/ is acting as SAML2 SP.

    Login pages are on the CA Access Gateway (SPS).

    When I start login flow from sp.myseconddomain.com, the Authentication
    URL redirects properly to login page where both authentication and
    authrozation are processed successfully and a SMSESSION is created.

    The problem occurs with redirect.jsp. When the browser goes to that
    redirect.jsp page, the browser doesn't get redirected back to the
    Federation Resource /affwebservices/public/saml2sso.

    I have configured the Authentication URL to
    https://AGW.myfirstdomain.com/affwebservices/redirectjsp/redirect.jsp
    in Parnership Federation Configuration.

    In CA Access Gateway (SPS) Federation has been enabled and the
    Authentication URL has been set to default siteminderagent/redirectjsp
    there.

    First login fails because of redirect. In second try when SMSESSION
    exists already login flow is successful. SAML response is returned to
    myseconddomain SP site.

     

    Cause:

     

    From the flow, we see the SMPORTALURL is encrypted :

    https://AGW.myfirstdomain.com/affwebservices/redirectjsp/redirect.jsp?SAMLRequest=dasdSADDQdasDasDEASsDASda223qdasDSasewS%3&RelayState=cookie%3A1529414dsa4d45454&SMPORTALURL=KdleL33sa2slslaxxsldllewsa&SAMLTRANSACTIONID=e1e30973-c7df59c2-9dfds9ce-5rdd355e-7e9ww830-4f


    Here we should see the SMPORTALURL value decrypted.

     

    Resolution:

     

    Disable the "Use Secure URL" option in the Partnership, this will only
    URL Encode the SMPORTALURL value, to avoid the Federation Service to
    redirect the browser to an encrypted target value.


    KB : KB000102821