Symantec Access Management

Tech Tip : CA Single Sign-On : Issue regarding SSO application working on Reverse proxy DNS

  • 1.  Tech Tip : CA Single Sign-On : Issue regarding SSO application working on Reverse proxy DNS

    Broadcom Employee
    Posted 06-01-2018 04:13 AM

    Issue:


    One of our sso application works on reverse proxy DNS, after 15mins
    idle timeout we are seeing the reverse proxy DNS in the url
    automatically which should not appear as we don't want to expose
    reverse proxy DNS.

     

    The Journey I'm explaining here.

     

    1. First we hit the portal www.example.mydomain.com which authenticates
    against LDAP and authorize against ODBC

     

    2. After successfully logging portal, we will launch the sso
    application. For example www.example.mydomain.com/sso_application

     

    3. Ater launching sso application it will not ask for login as it
    usesthe same smsession.

     

    4. For 15mins, the url will be www.example.mydomain.com/sso_application

     

    5. Post 15mins, the url changes automatically to reverse proxy DNS
    which we have configured in apache ex:

     

    www.host.mytestdomain.com/sso_application which we don't want to happen.

    Portal configurations are done on apache webserver, where as sso
    application is configured on IIS webserver

     

    Cause:

     

    As seen, the http_host is changed when the request arrives to
    the Web Agent, and that's why the Web Agent put it as target.

    We've seen that httpd.conf has ProxyPreserveHost is set to no which
    is mainly causing the issue.

     

    The backend server should be referencing the reverse proxy server

    hostname. You can enable the proxypreservehost setting in the virtual
    host setup, as this should pass the original Host: header as sent by
    the user across to the backend.

     

    ProxyPreserveHost Directive

     

    "When enabled, this option will pass the Host: line from the incoming

    request to the proxied host, instead of the hostname specified in the
    ProxyPass line.

     

    This option should normally be turned Off. It is mostly useful in
    special configurations like proxied mass name-based virtual hosting,
    where the original Host header needs to be evaluated by the backend
    server."

     

    https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxypreservehost

     

    Also find below CA Communities thread with some useful information

    regarding ProxyPreserveHost setup:

     

    "If you have set 'ProxyPreserveHost On' on your apache then the
    HTTP_HOST(www.apache.com) header value will be forwarded to SPS.

    And if your SPS did not have that hostname registered in the
    virtualhost configuration then that error is expected. "

     

    https://communities.ca.com/thread/241781693-can-ca-secure-proxy-server-access-gateway-be-used-as-a-backend-server

     

    Resolution:

     

    In the Apache Reverse Proxy configuration, set ProxyPreserveHost
    to yes to solve the issue.

     

    KB : KB000099431