Idea Details

Enhance SSO Federation to support HTTP-POST request for SP-Initiated flows without a Sessionstore

Last activity 12 days ago
Ashok kumar Muthu's profile image
01-30-2018 06:39 PM

According to below KB article, there is a pre-requisite of enabling Session store to support HTTP-POST request for SP-Initiated flows.

 

SP-Initiated POST request results in 400 Error 

 

This does not make any sense for customers to enable session store only for achieving this use case, if they don't have a real need for Session store. HTTP-POST request is a widely used SAML request method for SP initiated flows, this should be supported by the product without any additional setup/configuration. 

 

This feature is supported by other vendor products by OOTB without any additional setup and CA SSO is lacking here.

 

I ran into this issue recently in one of my customer environment where they are migrating to CA SSO from an another vendor SSO/Federation manager product, this has become a roadblock for few SAML application migrations.

 

Hence submitting this idea on behalf of a customer to enhance SSO Federation to support HTTP-POST request for SP-Initiated flows without a Sessionstore.


Comments

04-05-2018 10:02 AM

Just echoing this from my side as well: "Ca folks should not completely depend on ideas to enhance the Ca SSO product. Look at your competitor products and the features they have in comparison to yours."

 

I really agree here. As a customer, by the time I may know I need something, we can't wait months or years just to see if it's accepted and then wait longer on actually getting it in place; and often what we end up needing is already supported by another SSO product so our choices are (1) use another product (already have to include ADFS in our infrastructure), (2) do some janky solution/workaround(e.g., Kerberos AMA since not supported still and complex certificate OID validations), or (3) miss out on new capabilities that are requested.

04-04-2018 01:46 AM

Thank you for your contribution of an enhancement idea to the CA Community. CA is continually working to improve its software and services to best meet the needs of its customers. Your input is vital to that effort. The CA Single Sign-On Product Management team is reviewing your enhancement suggestion following the process outlined here: https://communities.ca.com/docs/DOC-231170123

The Community will continue to be able to vote on this enhancement idea.

01-31-2018 06:58 PM

Here is a real time business cost while using  ODBC session store which limits the functionality:

1) Loss of business in integrating with Vendors: 1M

2) ODBC Annual license cost: 50K

3) Maintenance & Support: 500K

 

Adding a new product like Ca dir to replace existing one in env including labor,testing etc: 1M along with additional cost of maintenance.

 

In-short: enhancement is needed period.

 

Ca folks should not completely depend on ideas to enhance the Ca SSO product. Look at your competitor products and the features they have in comparison to yours.

 

Warning: If you wait for customers to create an idea for every enhancement needed in the product, then be prepared to loose customers. 

01-31-2018 10:50 AM

It does seem that the SAML spec supports the functionality, thus request is very valid.

Adding the estimated business impact - i.e. this costs you X amount of $$$, may help prioritize the idea.

Quite often, the technical overhead is not necessarily perceived as a major hurdle compared to the costs associated with the product enhancement request.

Thus mentioning cost of overhead and this being a competitive replacement I think might help.

 

Note – we’ve probably took the Session Store decision based on performance - and based on that, use of CA Directory as Session Store would improve things – aside of the other limitation/comparison mentioned by @Hubert for ODBCs.

When federation SSO is started at the SP by accessing a service at the SP server, and by disregarding any existing valid session the user could already have, it seems that the transaction will incur a performance impact – both on servers – due to XML traffic, and user experience – multiple redirects before protected resource is being accessed.

This is something that more than likely product team will look at and consider when making their decisions.

01-30-2018 08:01 PM

We are looking for http-post requests with SP initiated requests to work without a CA Session store, we dont see a value in creating a session store just for http-post requests. It is a huge overhead for us to maintain the session stores instances just for http-post requests. Please prioritize this enhancement request.

01-30-2018 06:47 PM

The added problem here is with ODBC Session Stores there is a hard limit of 4K characters (varchar). Thus if SAML REQUEST is larger than 4K characters, then the journey fails as the injection of SAML REQUEST into Session Store fails and subsequently after login when federation function tries to read from Session Store, there is nothing in Session Store.

 

Hence this works 100% only for Customer who have CA Directory as Session Store. For Customers using ODBC as Session Store it is pure luck that if base64 encoded SAML REQUEST is less than 4K then this Solution of using Session Store for HTTP POST using SAML AuthnRequest works.

 

There is an alternative to enhance ODBC Session Store to use BLOB instead of varchar, but we have not certified that.

 

Hence while this (Support HTTP POST on SAML AuthnRequest) feature exists, it only works in 100% success criteria for Customer with CA Directory as Session Store.

 

Regards

Hubert