Idea Details

CA SPS - Block access to Federated Web Apps on Virtual Host Basis

Last activity 22 days ago
Adam Rusniak's profile image
03-16-2016 12:32 PM

Hi all

 

I would like to open an enhancement request to disallow access to the federation web apps on a per Virtual Host basis inside the SPS server.conf.

Currently the server.conf supports the following options.

 

<federation>

enablefederationgateway="yes"

fedrootcontext="affwebservices"

authurlcontext="siteminderagent/redirectjsp"

allowlinking="yes"

protectedbackchannelservices="saml2artifactresolution,saml2certartifactresolution,saml2attributeservice,saml2certattributeservice,assertionretriever,certassertionretriever"

</federation>

 

 

For example in this use case three virtual hosts are defined. federationgateway, virtualhost2, virtualhost3.

In my case currently I am able to hit the /affwebservices/assertionretriever from all virtual hosts

https://federationgateway.example.com/affwebservices/assertionretriever

https://virtualhost2.example.com:11443/affwebservices/assertionretriever

https://virtualhost3.example.com:12443/affwebservices/assertionretreiver

 

I would like to see this configurable to allow only a single defined or user defined virtual host e.g. https://federationgateway.example.com/affwebservices/assertionretriever

be able to access the federated apps.

 

The SPS is being viewed as the access gateway into many customer's environments and in environments where both federated and standard SSO use cases are present this allows end users access to resources that should not be available in each case.

 

Thanks,

 

Adam Rusniak


Comments

12-13-2017 08:26 PM

As a workaround, if needed before implemented, some form of allow/block list testing the virtual host and url, could be used with mod_rewrite in httpd.conf to enforce the limit of the /affwebservices to only a specific host name. 

 

Although different rules, block/allow list in apache httpd.conf is given as workaround in this case too:

https://communities.ca.com/ideas/235737271-white-or-blacklisting-capability-in-access-gateway-within-product?commentID=2… 

 

Cheers - Mark

05-31-2016 05:42 AM

Thank you for your contribution of an enhancement idea to the CA Community. CA is continually working to improve its software and services to best meet the needs of its customers. Your input is vital to that effort. The CA Single Sign-On Product Management team is reviewing your enhancement suggestion. The Community will continue to be able to vote on this enhancement idea.

03-16-2016 12:44 PM

Customers need flexibility of ensuring which VH allows access to which SPS-Hosted-WebApps that we (CA) ship. Hardening security and access refers to the ability of blocking access to resource where it needs to be blocked. I see the benefit of allowing SPS-Hosted-WebApps across all VHs. At the sametime I would also like to see the ability to block OR limit SPS-Hosted-WebApps to particular VH. This also refers to the ability of allowing to map (tie down) WebApps to particular VH e.g. Allow Affwebservices only via VH1.ca.com and Allow sessionassurance only via VH2.ca.com. The ultimate thing would be the (tie down) ability to manage which VH allows proxy functions e.g. affwebservices only via vh1.ca.com and no proxy using this vh1.ca.com (but proxy would be via some other VH e.g. vh3.ca.com on the same SPS).