Idea Details

WAOP : AgentName support on WAOP ACO values

Last activity 06-13-2019 09:29 AM
HubertDennis's profile image
03-03-2015 06:44 PM

Hello Friends

 

I was looking at an issue for a Customer in Federation.

  • Customer is Service Provider.
  • WebAgent (IIS) and WAOP (ServletExec) is on the same machine; hence they use same the same ACO (same WebAgent.conf).
  • Customer is using FQDNs to separate traffic inbound (more so give a personalized feeling to IdP using customer name in FQDN / URL) to access Services, however the landing pages are same.
  • There are links on the landing page which gets populated at run time to forward end-user request ahead.
  • They have multiple FQDN mapping to their WA/WAOP Server.
  • The intend to use SSL Certificate which is a Global wildcard certificate issued for “*.sp.com”.

 

 

E.g. FQDNs on WA/WAOP Server.

http://xyz.sp.com/target/landing.html

http://abc.sp.com/target/landing.html

 

Therefore we adopted to use Agent Identities using AgentName ACO parameter as we do in WebAgent world. We know we could use AgentName parameter for Agent to FQDN mapping. Thus our configuration looks like below.

 

Agent to Policy Domain Mapping

  1. wa_xyz,xyz.sp.com --> Policy Domain xyz --> Realm xyz --> SAML Auth Scheme xyz --> UD1.
  2. wa_abc,abc.sp.com --> Policy Domain abc --> Realm abc --> SAML Auth Scheme abc --> UD1.

 

Agent ACO Mapping

DefaultAgentName : wa_abc.

AgentName : MutliValue

wa_abc,abc.sp.com

wa_xyz,xyz.sp.com

 

The issue that we are facing is that; it looks like WAOP does not honor AgentName parameter. WebAgent does honor this logic correct. Once the request handed to WAOP, it simply tries to validate using defaultagentname and the entire solution falls apart.

 

After searching about we found an article on Support.

http://www.ca.com/us/support/ca-support-online/product-content/knowledgebase-articles/tec588967.aspx

 

 

Therefore the current solution on WAOP is restrictive in the fact that it could be segregated only on basis of URI. What would be good to have would be also include segregation based on FQDN thus allowing Virtual Hosting capabilities into WAOP (as it is done via WebAgents).

 

The alternative may be to use CA Access Gateway (a.k.a Secure Proxy Server). However for the majority of the customer who are on WAOP deployment, this would be a beneficial one to have.

 

 

Regards

 

Hubert


Comments

09-30-2016 02:57 PM

Thank you for your contribution of an enhancement idea to the CA Community. CA is continually working to improve its software and services to best meet the needs of its customers. Your input is vital to that effort. The CA Single Sign-On Product Management team has reviewed your suggested enhancement. Based on current roadmap priorities and/or the limited amount of community support for this idea over the last year (please see this document describing how we are reviewing ideas: https://communities.ca.com/docs/DOC-231170123), we are not accepting this idea into the product backlog. Therefore, it is being moved to a “Not Planned” status.  

10-30-2015 02:25 AM

Thank you for your contribution of an enhancement idea to the CA Community. CA is continually working to improve its software and services to best meet the needs of its customers. Your input is vital to that effort. The CA Single Sign-On Product Management team has reviewed your enhancement suggestion and decided to maintain the idea for possible consideration in a future release. The Community will continue to be able to vote on this enhancement idea.

04-17-2015 06:57 PM

 

Thank you for your contribution of an enhancement idea to the CA Community. CA is continually working to improve its software and services to best meet the needs of its customers.  Your input is vital to that effort.  The CA Single Sign-On Product Management team is reviewing your enhancement suggestion.  The Community will continue to be able to vote on this enhancement idea.