Idea Details

Allow OAUTH federation to use proxy for connection for backchannel to Auth Provider

Last activity 05-31-2019 03:54 PM
Anon Anon's profile image
04-06-2016 03:55 PM

Given that:

- The OAUTH requires a backchannel connection to the authorization provider;

- The Federation gateway (or any servers in the environment) has NO direct outgoing connection to the Internet.

- All outgoing connections have to go thru a proxy server (Corporate Security Policy)

- the Siteminder OAUTH Authentication Schemes and OpenID Authentication Schemes DO support the proxy for the back channel

oauthFcc.JPG

- the OAUTH Federation does not support proxy.

- Event if we could get an exemption for the outgoing connection, we have many other environments that will never be allowed to go out directly (DEV, Certification, QA, Integration, Training...)

 

I'm asking to have the ability to specify a proxy server for the backchannel in the OAUTH Federation (just like we can do it with the oauth.fcc).


Comments

04-14-2016 02:22 PM

Not being able to use an outbound HTTP proxy is a big deal to us.  We would need to do major re-architecture to be able to support OAUTH outside of our network without proxy support.  CA, please help us.

04-14-2016 09:54 AM

Yes, yes and yes. We are just running into this problem now trying to implement the OAuth partnership model...can't get the agent traffic to use the outbound proxy and so can't complete the login.

 

Maybe just some sort of environment variable perhaps that would let any agent (Web Agent / WAOP or Gateway) to have an outbound proxy. Similar to how the Policy Server has the http_proxy variable for outbound proxy and works just fine....just use the same one for WA/Gateway.

04-12-2016 04:06 PM

Thank you for your contribution of an enhancement idea to the CA Community. CA is continually working to improve its software and services to best meet the needs of its customers. Your input is vital to that effort. The CA Single Sign-On Product Management team is reviewing your enhancement suggestion. The Community will continue to be able to vote on this enhancement idea.