Symantec Access Management

Hi,

In our federation authentication scheme, we set to use relative target.
When I do network trace, I noticed traffic always go to http://<hostname>/<logintargeturl> first and then redirect to https://<hostname>/<logintargeturl>


I just wondering is it possible to let traffic directly go to https://<hostname>/<logintargeturl> with use relative target. 
We don't want to set up web server name and port number and then click use SSL connection that function.

Thanks

Mark

Hi Mark

I am not sure what kind of federation authentication scheme you used. Let me share my test result based on HTML form login.

1. I have setup HTML Form login with a relative target URL.

Original Message:
Sent: 05-12-2020 04:25 PM
From: Mark Ma
Subject: SiteMinder: Authentication Scheme Question refresh info

Hi,

In our federation authentication scheme, we set to use relative target.
When I do network trace, I noticed traffic always go to http://<hostname>/<logintargeturl> first and then redirect to https://<hostname>/<logintargeturl>


I just wondering is it possible to let traffic directly go to https://<hostname>/<logintargeturl> with use relative target. 
We don't want to set up web server name and port number and then click use SSL connection that function.

Thanks

Mark

B.K.,

Thanks your information.  I have exactly same setting as yours.

But I don't understand why my traffic go to http first. We are using siteminder reverse proxy server to handle the federation. Are you also use reverse proxy server?
I know it has apache webserver and maybe I need to make change in that apache webserver to force traffic to go to https ? I am not really sure.. 
But right now I just wondering from SSO Authentication Scheme, is it possible to force to use SSL connection even we use relative target?

Thanks

Mark
Original Message:
Sent: 05-13-2020 01:54 AM
From: Bong-Kyun Rhim
Subject: SiteMinder: Authentication Scheme Question refresh info

Hi Mark

I am not sure what kind of federation authentication scheme you used. Let me share my test result based on HTML form login.

1. I have setup HTML Form login with a relative target URL.

2. I have protected federation URL with HTML form login.

3. I have accessed IDP initiated login URL.
    ex)  https://siteminder.demo-broadcom.com/affwebservices/public/saml2sso?SPID=IAMShowcase
    My web trace log does not show any HTTP redirection.

Product itself, it does not redirect to HTTP.  Hence, the issue might be related to network, application or other configuration issue.

I think that it is better to open a case and provide the related log information. Then, Broadcom support team can help you.

Kind regards

B.K.

Original Message:
Sent: 05-12-2020 04:25 PM
From: Mark Ma
Subject: SiteMinder: Authentication Scheme Question refresh info

Hi,

In our federation authentication scheme, we set to use relative target.
When I do network trace, I noticed traffic always go to http://<hostname>/<logintargeturl> first and then redirect to https://<hostname>/<logintargeturl>


I just wondering is it possible to let traffic directly go to https://<hostname>/<logintargeturl> with use relative target. 
We don't want to set up web server name and port number and then click use SSL connection that function.

Thanks

Mark

Hi Mark

I have tested with Access Gateway (Secure Proxy Server).

Would you provide more detailed information about your reverse proxy?

- Do you have apache web server in front and application server (tomcat) is behind? Then, can you share the apache version?

- How does the reverse proxy server communicate with reverse proxy server?  In other words, do you use mod_jk or are you using mod_proxy_http?

- Do you have load balancer in front of apache web server? In that case, did you set up end to end SSL?

There are various factor to check why it is redirected from https to http.  Fiddler or other network packet capturing tool will be helpful for the trouble shooting. 

Kind regards

B.K.
Original Message:
Sent: 05-13-2020 10:31 AM
From: Mark Ma
Subject: SiteMinder: Authentication Scheme Question refresh info

B.K.,

Thanks your information.  I have exactly same setting as yours.

But I don't understand why my traffic go to http first. We are using siteminder reverse proxy server to handle the federation. Are you also use reverse proxy server?
I know it has apache webserver and maybe I need to make change in that apache webserver to force traffic to go to https ? I am not really sure..
But right now I just wondering from SSO Authentication Scheme, is it possible to force to use SSL connection even we use relative target?

Thanks

Mark
Original Message:
Sent: 05-13-2020 01:54 AM
From: Bong-Kyun Rhim
Subject: SiteMinder: Authentication Scheme Question refresh info

Hi Mark

I am not sure what kind of federation authentication scheme you used. Let me share my test result based on HTML form login.

1. I have setup HTML Form login with a relative target URL.

2. I have protected federation URL with HTML form login.

3. I have accessed IDP initiated login URL.
    ex)  https://siteminder.demo-broadcom.com/affwebservices/public/saml2sso?SPID=IAMShowcase
    My web trace log does not show any HTTP redirection.

Product itself, it does not redirect to HTTP.  Hence, the issue might be related to network, application or other configuration issue.

I think that it is better to open a case and provide the related log information. Then, Broadcom support team can help you.

Kind regards

B.K.

Original Message:
Sent: 05-12-2020 04:25 PM
From: Mark Ma
Subject: SiteMinder: Authentication Scheme Question refresh info

Hi,

In our federation authentication scheme, we set to use relative target.
When I do network trace, I noticed traffic always go to http://<hostname>/<logintargeturl> first and then redirect to https://<hostname>/<logintargeturl>


I just wondering is it possible to let traffic directly go to https://<hostname>/<logintargeturl> with use relative target. 
We don't want to set up web server name and port number and then click use SSL connection that function.

Thanks

Mark