CA SPS - Block access to Federated Web Apps on Virtual Host Basis

Idea created by rusad02 Employee on Mar 16, 2016
    Under review
    Score8

    Hi all

     

    I would like to open an enhancement request to disallow access to the federation web apps on a per Virtual Host basis inside the SPS server.conf.

    Currently the server.conf supports the following options.

     

    <federation>

    enablefederationgateway="yes"

    fedrootcontext="affwebservices"

    authurlcontext="siteminderagent/redirectjsp"

    allowlinking="yes"

    protectedbackchannelservices="saml2artifactresolution,saml2certartifactresolution,saml2attributeservice,saml2certattributeservice,assertionretriever,certassertionretriever"

    </federation>

     

     

    For example in this use case three virtual hosts are defined. federationgateway, virtualhost2, virtualhost3.

    In my case currently I am able to hit the /affwebservices/assertionretriever from all virtual hosts

    https://federationgateway.example.com/affwebservices/assertionretriever

    https://virtualhost2.example.com:11443/affwebservices/assertionretriever

    https://virtualhost3.example.com:12443/affwebservices/assertionretreiver

     

    I would like to see this configurable to allow only a single defined or user defined virtual host e.g. https://federationgateway.example.com/affwebservices/assertionretriever

    be able to access the federated apps.

     

    The SPS is being viewed as the access gateway into many customer's environments and in environments where both federated and standard SSO use cases are present this allows end users access to resources that should not be available in each case.

     

    Thanks,

     

    Adam Rusniak