Layer 7 Access Management

Expand all | Collapse all

How to ignore "localhost" in CA siteminder

  • 1.  How to ignore "localhost" in CA siteminder

    Posted 10-26-2018 05:18 AM

    I tried below step to ignore local host but still getting SSO login page.

     

    Added "localhost:80" and "127.0.0.1:80' in application ACO IgnoreHost attribute.

     

    ignorehost='localhost:80'
    ignorehost='127.0.0.1:80'

     

    In google i found that "SiteMinder resolves localhost to the computer name before checking the IgnoreHost value, so adding "localhost" will not exempt local connections". My requirement is i have to ignore localhost only not entire host.

     

    Note : Entire root(/) is protected in application SSO policy.

     

    Please suggest some process to ignore localhost.

     

     



  • 2.  Re: How to ignore "localhost" in CA siteminder

    Posted 10-26-2018 09:02 AM

    JettyPraveen

     

     

    I'd recommend looking at your /etc/hosts file to see what is configured in there. Typically you'd need something like this.

     

    10.x.x.x   dns.company.com

    127.0.0.1   localhost    servername.company.com

     

    Now try using IgnoreHost ACO Parameter. If it still doesn't work, remove IgnoreHost and try below.

     

    One of the suggestion I'd recommend is to use  "AgentName" parameter in ACO.

    Basic Agent Setup and Policy Server Connections - CA Single Sign-On - 12.8 - CA Technologies Documentation 

    Create three WebAgent Object in WAMUI, e.g. wa_dns, wa_localhost and wa_server.

    Edit your ACO, disable DefaultAgentName, Enable AgentName as Multi-Value Attribute.

    wa_dns,dns.company.com

    wa_localhost,localhost

    wa_server,servername.company.com

    Now map only wa_dns to the realm protecting /*

     

     

    Regards

    Hubert



  • 3.  Re: How to ignore "localhost" in CA siteminder

    Posted 10-26-2018 04:43 PM

    On this question, what if we take a step back from CA SSO and look at the Web Server itself. Is it IIS or Apache?

     

    To me the best solution is for the Web Server not to bind to *.

    So in the Apache httpd.conf instead of Listen 80, specify the ip address, Listen 10.x.x.x:80.

    In IIS you would go to the Site Bindings and change the IP Address from * to 10.x.x.x:80

     

    Hope this helps!