Symantec Access Management

 View Only
  • 1.  CA Gateway (aco, cookie-provider) Federation

    Posted Oct 19, 2019 12:01 PM
    Edited by goutham reddy Anireddy Oct 19, 2019 12:05 PM
    Hi All,

    May be i did configuration wrongly, would like to understand better on CA gateway acting as Service Provider (multiple ACO)
    Trying to separate configuration based on applications.

    My configuration: (hard to write down, but will try to make it scene).

    2 AGENT NAME (dev.smspsui.com, dev.partners.com)
    2 ACO (dev_aco_smspsui.com, dev_aco_partners.com)
    2 Virtual hosts (dev.smspsui.com, dev.partners.com) -------------> server.conf
    proxyrules.xml ----------(configured to back end apps on IIS)


    https://dev.xxxxxxx.com/affwebservices/assertionretriever    ------------------> is giving same output


    dev.smspsui.com to use with proxy UI only
    dev.partners.com (actual application)

    Now the ISSUE time.

    1. In above mentioned ACO, i did set cookie provider as (.smspsui.com, .partners.com)  respectively in both ACO
    2. The .partners.com is not honored that is set in dev_aco_partners.com, when i access application IDP initiated, at SP side again login page is prompted (because cookie is set to .smspsui.com)
      wrong domain set
    3. Application is working once cookie domain is set as .partners.com in (dev_aco_smspsui.com).
      cookie domain

    QUESTION TIME:

    1. cookie domain set in dev_aco_partners.com, is not honored?
    2. Apart form separate logging, is there no use of having separate ACO for each VHOST.
    3. Is some configuration done wrong.
    4. Is it possible to disable Federation service on default site dev.smspsui.com and enable Federation service only on dev_aco_partners.com.

    ------------------------------
    Regards,
    Gowtham.
    ------------------------------


  • 2.  RE: CA Gateway (aco, cookie-provider) Federation
    Best Answer

    Broadcom Employee
    Posted Oct 21, 2019 10:58 PM
    Hi Gowtham,

    I am not quite understanding your use case.
    You have 2 domains but one is used for proxyui only, which means you only have 1 cookiedomain for federation which is .partners.com
    And in your federation use case, why would you need the smspsui.com?
    Are you federating between smspsui.com and partners.com?

    When both IDP and SP are SiteMinder you must ensure the sessions are not overwritten by each other.

    Best to share fiddler trace demonstrating the problem
    Just ensure you mask the username/password or replace them manually after capture if you are concerned about it.

    ------------------------------
    Support Engineer 5
    Broadcom
    ------------------------------



  • 3.  RE: CA Gateway (aco, cookie-provider) Federation

    Posted Nov 01, 2019 02:18 AM
    Hi Kim,

    Sorry for delay in response.
    Sure, will share the fiddler trace.

    Both IDP and SP are siteminder only, one server acting as IDP and other server acting as SP.

    Regards,
    Gowtham.

    ------------------------------
    Regards,
    Gowtham.
    ------------------------------