Symantec Access Management

 View Only
  • 1.  Federation POC setup on the basis of origin of request

    Posted Jul 31, 2018 03:42 AM



    I have a query on federation services. So the infrastructure design is as below:

    1)There is 1 internal access gateway server( designed to handle the request when accessed within the client network) and 1 external aceess gateway server.

    2)There is one policy server 

     The requirement is that an application when accessed internally should be using the IWA flow and when accessed externally should be using form authentication.

    I am trying to setup a poc for the same. I protected the resource(/affwebservices/redirectjsp/redirect.jsp) twice using the agent 1(access gateway 1) and agent 2(access gateway 2) and created one single federation partnership with common base URL. The main query is will this setup work if the domain(utilized in the base URL) has the required DNS configuration to resolve to the appropriate access gateway on the basis of origin of the request. 

    Any help is highly appreciated!##

  • 2.  Re: Federation POC setup on the basis of origin of request

    Broadcom Employee
    Posted Jul 31, 2018 10:29 AM

    What is your SSO version ? starting from SSO 12.7, IWA fallback to form is supported by out of the box.


    Configure IWA Fallback to Forms Using Authentication Chain - CA Single Sign-On - 12.8 - CA Technologies Documentation 


    Just create an agent group and place both the agents and protect your federation realm with fall-back authscheme and agentgroup. This should take care of your requirement by out of the box. i.e., IWA will work for Intranet users and will fall back to forms for external users.

  • 3.  Re: Federation POC setup on the basis of origin of request

    Broadcom Employee
    Posted Aug 01, 2018 11:16 AM

    Aishwarya, Ashok gave a good / quick suggestion for R12.7. I second that. If you're below R12.7 for CA SSO, then the information shared is not sufficient to determine what can go wrong, although it seems fine overall. So, please try it and let us know what the issue /error is, if it happens. And, please open a support case with CA SSSO Support and provide complete detail of your configuration with versions/ platform information for each and every component involved.  In addition, they may need specific logs and traces.

    Thank you. - Vijay

  • 4.  Re: Federation POC setup on the basis of origin of request

    Posted Aug 01, 2018 05:56 PM



    One of the things that I do take into consideration is scenarios that can cause IWA to fail. IWA can fail even when we are accessing from Internal IP ranges e.g. connected to corporate network. One classic example is change in browser settings due to a GPO update. This does not imply that the user is accessing Externally.


    Thus I do prefer segregating traffic internally VS externally, as you have done using an Internal CA AG and External CA AG.


    What I'd do use DNS or LB to split traffic based on client IP. If Client IP is Internal, let DNS or LB route the traffic to Internal CA AG. If Client IP is External, let DNS or LB route the traffic to External CA AG.


    The benefit being, 

    • If request is routed to Internal CA AG and IWA fails on intranet due to browser settings, the user can be presented within an internal single factor login page using the CA SSO OOB IWA fallback to forms (As Ashok suggested). Additionally, If the request gets routed to External CA AG, then I can present a different STRONG authentication scheme e.g. 2FA. I have greater flexibility of applying atleast one additional / different authentication scheme on External CA AG.
    • I feel more comfortable doing the traffic split identification at the DNS or LB end, as those are components which first have access to OR have better access to client IP. The underlying infrastructure often messes up clientIPs as they traverse through firewalls and routers. 


    Hope the 1 cent helps.