Symantec Access Management

 View Only
  • 1.  Openid Connect Authentication URL for different UserStores and Authenticationlevels

    Posted Nov 06, 2019 07:12 AM
    Hi !
    We are starting using OIDC, and are now facing a design issue.
    In SAML we have about 20 different authentication URLs, where we have copied redirect.jsp to different jsps and set different realms, authschemes, levels and policies with different usersstores et.c.

    When I look at OIDC I only see one URL: /affwebservices/secure/secureredirect

    Is it possible to add more Auth URLs, and if so, what is the recommended/supported way to do that ?

    /Per

    ------------------------------
    Per Ågren
    City of Stockholm

    ------------------------------


  • 2.  RE: Openid Connect Authentication URL for different UserStores and Authenticationlevels
    Best Answer

    Broadcom Employee
    Posted Nov 13, 2019 12:41 PM
    Hi Per ,

    yes you can change it , please refer to the below , you need to modify the web.xml as indicated and add additional mappings .
    in access gateway , you can find it the web.xml under CA/secure-proxy/Tomcat/webapps/affwebservices/WEB-INF

    Use Secure URL
    This setting instructs the single sign-on service to encrypt only the SMPORTALURL query parameter. An encrypted SMPORTALURL prevents a malicious user from modifying the value and redirecting authenticated users to a malicious website. The SMPORTALURL is appended to the Authentication URL before the browser redirects the user to establish a session. After the user is authenticated, the browser directs the user back to the destination specified in the SMPORTALURL query parameter.
    If you select the Use Secure URL check box, complete the following steps:
    1. Set the Authentication URL field to the following URL: http(s)://
    idp_server:port
    /affwebservices/secure/secureredirect
    2. Protect the secureredirect web service with a policy.
    If the asserting party serves more than one relying partner, the asserting party probably authenticates different users for these different partners. As a result, for each Authentication URL that uses the secureredirect service, include this web service in a different realm for each partner.
    To associate the secureredirect service with different realms, modify the web.xml file and create different resource mappings. Do not copy the secureredirect web service to different locations on your server. Locate the web.xml file in the directory 
    web_agent_home
    /affwebservices/WEB-INF, where 
    web_agent_home
     is the installed location of the web agent.

    Thanks 
    Joe


  • 3.  RE: Openid Connect Authentication URL for different UserStores and Authenticationlevels

    Broadcom Employee
    Posted Nov 13, 2019 12:42 PM
    forgot to post the link to the guide 

    https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/using/administrative-ui/legacy-federation-reference/saml-1-x-affiliate-dialog-reference/affiliate-general-settings.html


  • 4.  RE: Openid Connect Authentication URL for different UserStores and Authenticationlevels

    Posted Dec 18, 2019 04:32 PM
    Thanks.
    A very clear and useful answer. 
    Sorry for late reply, but this is my first implementation due to upgrade of policy servers, AccessGateways and much more.

    When I read the web.xml I saw that .../secure/secureredirect/* was mapped, so it was just to add my different companies and organisations to that like this:

    https://oidc.domain.se/affwebservices/secure/secureredirect/company1,
    https://oidc.domain.se/affwebservices/secure/secureredirect/company2,
    https://oidc.domain.se/affwebservices/secure/secureredirect/organization1

    and create realms, white different authschemes, policies and so on.
    So I really did not need to edit the web.xml and the mapping.

    This made my day !!
    Thanks!
    /Per


    ------------------------------
    Senior System Architect
    Tieto
    ------------------------------



  • 5.  RE: Openid Connect Authentication URL for different UserStores and Authenticationlevels

    Posted Jun 24, 2020 11:02 PM
    Hello All, 

    I have added below mapping and created the corresponding policies, could you please help me why I am getting 404 after successful authentication ? 

    Web.xml

     

    <servlet-mapping>

        <servlet-name>secureredirect</servlet-name>

        <url-pattern>/secure/secureredirect/apigee/staff/*</url-pattern>

      </servlet-mapping>

     

    Protected resource: /secure/secureredirect/apigee/staff/auth