Symantec Access Management

Expand all | Collapse all

Openid Connect Authentication URL for different UserStores and Authenticationlevels

Jump to Best Answer
  • 1.  Openid Connect Authentication URL for different UserStores and Authenticationlevels

    Posted 11-06-2019 07:12 AM
    Hi !
    We are starting using OIDC, and are now facing a design issue.
    In SAML we have about 20 different authentication URLs, where we have copied redirect.jsp to different jsps and set different realms, authschemes, levels and policies with different usersstores et.c.

    When I look at OIDC I only see one URL: /affwebservices/secure/secureredirect

    Is it possible to add more Auth URLs, and if so, what is the recommended/supported way to do that ?

    /Per

    ------------------------------
    Per Ågren
    City of Stockholm

    ------------------------------


  • 2.  RE: Openid Connect Authentication URL for different UserStores and Authenticationlevels
    Best Answer

    Posted 11-13-2019 12:41 PM
    Hi Per ,

    yes you can change it , please refer to the below , you need to modify the web.xml as indicated and add additional mappings .
    in access gateway , you can find it the web.xml under CA/secure-proxy/Tomcat/webapps/affwebservices/WEB-INF

    Use Secure URL
    This setting instructs the single sign-on service to encrypt only the SMPORTALURL query parameter. An encrypted SMPORTALURL prevents a malicious user from modifying the value and redirecting authenticated users to a malicious website. The SMPORTALURL is appended to the Authentication URL before the browser redirects the user to establish a session. After the user is authenticated, the browser directs the user back to the destination specified in the SMPORTALURL query parameter.
    If you select the Use Secure URL check box, complete the following steps:
    1. Set the Authentication URL field to the following URL: http(s)://
    idp_server:port
    /affwebservices/secure/secureredirect
    2. Protect the secureredirect web service with a policy.
    If the asserting party serves more than one relying partner, the asserting party probably authenticates different users for these different partners. As a result, for each Authentication URL that uses the secureredirect service, include this web service in a different realm for each partner.
    To associate the secureredirect service with different realms, modify the web.xml file and create different resource mappings. Do not copy the secureredirect web service to different locations on your server. Locate the web.xml file in the directory 
    web_agent_home
    /affwebservices/WEB-INF, where 
    web_agent_home
     is the installed location of the web agent.

    Thanks
    Joe


  • 3.  RE: Openid Connect Authentication URL for different UserStores and Authenticationlevels

    Posted 11-13-2019 12:42 PM
    forgot to post the link to the guide

    https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/using/administrative-ui/legacy-federation-reference/saml-1-x-affiliate-dialog-reference/affiliate-general-settings.html