Symantec Access Management

 View Only
  • 1.  Dynamic Authentication URL in SAML2 Federation Partnership ?

    Posted Mar 12, 2019 01:17 AM

    Dear Experts,


    As we are using two different FQDNs/Hostname for Internal and external, Is there any way to configure this Authentication URL with a URI instead of FULL URL ?


    Please advise. 




  • 2.  Re: Dynamic Authentication URL in SAML2 Federation Partnership ?
    Best Answer

    Broadcom Employee
    Posted Mar 15, 2019 09:56 PM

    Hi Narendra,


    No, the Authentication URL must be a fully formed URL and not relative URI.


    What you can do is make the Authentication URL an active page that detects whether the user is internal/external, then redirect the user to a URL that is protected with the appropriate auth scheme for the user type.  Keep in mind the user will need to be returned to saml2sso with their original query parameters after authentication.  You may be able to leverage the out of the box redirect.jsp to accomplish some of this.  For SP-initiated POST requests, the TransactionID needs to be on the query string upon return to saml2sso after authentication (if you study the behavior of the ootb redirect.jsp you will understand how the request needs to be formatted after authentication).


    An alternative to this is to protect the saml2sso URL instead of relying on the Authentication URL.  This method assures the user always has a session upon accessing saml2sso while allowing the auth scheme protecting the page to use a relative URI in the auth scheme.  Since internal/external users use different FQDNs, this would also allow you to use a different realm and thus different authentication scheme for each user type.




  • 3.  Re: Dynamic Authentication URL in SAML2 Federation Partnership ?

    Posted Mar 17, 2019 11:04 PM

    Hi Pete,


    Thanks for your suggestions(Very Helpful)  really appreciated.