I have a query on federation services. So the infrastructure design is as below:
1)There is 1 internal access gateway server( designed to handle the request when accessed within the client network) and 1 external aceess gateway server.
2)There is one policy server
The requirement is that an application when accessed internally should be using the IWA flow and when accessed externally should be using form authentication.
I am trying to setup a poc for the same. I protected the resource(/affwebservices/redirectjsp/redirect.jsp) twice using the agent 1(access gateway 1) and agent 2(access gateway 2) and created one single federation partnership with common base URL. The main query is will this setup work if the domain(utilized in the base URL) has the required DNS configuration to resolve to the appropriate access gateway on the basis of origin of the request.
Any help is highly appreciated!##
What is your SSO version ? starting from SSO 12.7, IWA fallback to form is supported by out of the box.
Configure IWA Fallback to Forms Using Authentication Chain - CA Single Sign-On - 12.8 - CA Technologies Documentation
Just create an agent group and place both the agents and protect your federation realm with fall-back authscheme and agentgroup. This should take care of your requirement by out of the box. i.e., IWA will work for Intranet users and will fall back to forms for external users.
Aishwarya, Ashok gave a good / quick suggestion for R12.7. I second that. If you're below R12.7 for CA SSO, then the information shared is not sufficient to determine what can go wrong, although it seems fine overall. So, please try it and let us know what the issue /error is, if it happens. And, please open a support case with CA SSSO Support and provide complete detail of your configuration with versions/ platform information for each and every component involved. In addition, they may need specific logs and traces.
Thank you. - Vijay
One of the things that I do take into consideration is scenarios that can cause IWA to fail. IWA can fail even when we are accessing from Internal IP ranges e.g. connected to corporate network. One classic example is change in browser settings due to a GPO update. This does not imply that the user is accessing Externally.
Thus I do prefer segregating traffic internally VS externally, as you have done using an Internal CA AG and External CA AG.
What I'd do use DNS or LB to split traffic based on client IP. If Client IP is Internal, let DNS or LB route the traffic to Internal CA AG. If Client IP is External, let DNS or LB route the traffic to External CA AG.
The benefit being,
Hope the 1 cent helps.