Symantec Access Management

  • 1.  STS host and port

    Posted Mar 23, 2016 12:59 PM

    I have STS enabled in server.conf on CA Access Gateway (CA SPS)

     

    <Context name="Office365"
    type="STS">

    docBase="Office365"

    path="Office365"

    enable="yes"

    </Context>

     

    There are multiple virtual hosts configured at the same server.conf. Where  exactly STS is going to listen for, all VHs? How to assign to a specific VH?

     

    Thank you,



  • 2.  Re: STS host and port
    Best Answer

    Broadcom Employee
    Posted Mar 23, 2016 04:32 PM

    Vlad,

     

    I had a similar request recently with the federated apps on the SPS. Please review the solution in the following post.

     

    CA SPS Federation Gateway Question

     

    As you can see we handled the blocking of the inappropriate virtual host access with a auth scheme redirect to a static access denied page. We used agent group object to protect the realm associated with the federated app and applied the custom auth scheme to that realm. All VH on sps are using a upique Webagent.conf so we can use unique agent objects on SSO side. The appropriate virtual host is not in the agent group and not protected with this custom auth scheme and can access the app.

     

    Thanks Hubert Dennis for the suggested method, it works great.

     

     

    If you would like to see better delegation of these types of requests in the server.conf please upvote for my enhancement request here.

    CA SPS - Block access to Federated Web Apps on Virtual Host Basis

     

     

    thanks,

    Adam



  • 3.  Re: STS host and port

    Posted Mar 23, 2016 04:56 PM

    Thanks Adam. You answered my question, STS seems will run on all VHs. I need to test it now.



  • 4.  Re: STS host and port

    Broadcom Employee
    Posted Mar 24, 2016 08:49 PM

    Great thanks Vlad. Can you mark my answer as correct if you are satisfied with it?

     

    Have a good one,

    Adam



  • 5.  Re: STS host and port

    Posted Mar 30, 2016 01:12 PM

    Hi Adam, I am still struggling to expose STS through any of Virtual hosts, that's why I didn't mark your answer as correct yet, kristen.malzone did :-).

    CA support tells me not no use proxy rules to forward traffic to STS, but there are already proxy rules that forward traffic depending on a host name and URI. Without a rule STS is not reachable because other rules take control. In your federation services setup, do you have a specific condition in proxyrules to forward  to Tomcat running the services?

     

    Thanks,

    Vlad



  • 6.  Re: STS host and port

    Broadcom Employee
    Posted Mar 30, 2016 01:43 PM

    Hey Vlad,

     

    For the federation gateway piece I do not have to define proxy rules to access the web apps. That was my initial struggle that the federated apps were all exposed through each of my virtual hosts which prompted me to open the ER and deploy the little work around.

     

    At the enterprise producing assertions, federation requests are forwarded to the Tomcat server embedded in CA SiteMinder SPS. The Tomcat server hosts the FWS application. Proxy rules and filters have no relevance when the federation request gets processed.


    For the STS,

     

    • Review STS logs to make sure STS is functional at secure-proxy_install_dir/proxy- engine/logs/partnership_name.log.
    • Message stating STS initialization is complete indicates that STS is running.
    • Or Type following URL https://{sps-domainName}/{CA-SiteMinder- PartnershipName}/ws-username and following message confirms STS is functional

     

    Can we get a better understanding of what is happening by seeing some traces in your log files?

     

    Thanks,

    Adam

     



  • 7.  Re: STS host and port

    Posted Mar 30, 2016 02:16 PM

    It was my wrong assumption. IE had a friendly error message setup, showing "Page not found" instead of "WS-Trust is available only via SOAP request". I assumed SPS could not find STS, but all is good now when a friendly error disabled.

     

    Thanks,

    Vlad



  • 8.  Re: STS host and port

    Broadcom Employee
    Posted Mar 30, 2016 02:48 PM

    Thanks Vlad for the confirmation. Glad you were able to access the resource. Are you able to access the STS resource from any of your Virtual hosts?



  • 9.  Re: STS host and port

    Posted Mar 30, 2016 03:21 PM

    Yes, it is accessible from any Virtual host. Thanks for your help.



  • 10.  Re: STS host and port

    Broadcom Employee
    Posted Mar 30, 2016 03:23 PM

    Thanks Vlad for the feedback. I would recommend you try the approach I used above for the federation apps if you need to restrict it to a single virtual host at this time until hopefully my enhancement request comes through.

     

    Glad you were able to get this working.

     

    Adam