Symantec Access Management

Expand all | Collapse all

CA SSO and CA Strong Auth 2FA journey with same URL

Jump to Best Answer
  • 1.  CA SSO and CA Strong Auth 2FA journey with same URL

    Posted 08-14-2019 09:53 AM
    Hi Team,

    We have a solution where we have integrated CA SSO and CA Strong auth for 2 factor authentication. When the user accesses the agent based protected application he is redirected to login server URL (acl) where the user enters the user ID and password. After that the user is redirected to 2FA Jboss adapter server URL(acreg) where the user enters the OTP.
    We want to enable this journey over the internet but we have public IP and external certificate only for acl and not for acreg.
    So we are trying the enable this journey only using the login server acl URL. The login server is on IIS and it has web agent installed.
    We have created a new website in IIS and configured it as a reverse proxy. The rule written is such that any request on this website will forward it to the Jboss Adapter server. In the policy server adaptershim.ini file instead of directly entering the adapter URL in the ArcotAFMLandingURL parameter we have mentioned the login server IIS URL and port where we have written the rewrite rule.
    When testing through IIS we are able to reach the jboss console landing page. However we are not able to reach the context /arcotafm/master.jsp via IIS rule configured.
    Due to this after making changes in adaptershim.ini file the request is failing.
    Please let us know if this approach is correct one or not and how to resolve the issue we are facing.
    Prompt response from the community will be highly appreciated.

    Nawaz Shaikh

  • 2.  RE: CA SSO and CA Strong Auth 2FA journey with same URL
    Best Answer

    Broadcom Employee
    Posted 08-19-2019 10:22 AM

    Yes, it is possible to use a reverse proxy in front of the Strong Auth Adapter AFM.  I haven't used IIS reverse proxy, but I have used SiteMinder's Access Gateway and I'm aware of other implementations using an apache reverse proxy.

    One thing to look out for is sometimes the backend host may perform a redirect to itself which may bypass the proxy.  You may need to enter the backend host name in configuration to prevent the redirect.  On the SiteMinder Access Gateway this is called "redirectrewritablehostnames"