SungHoon_Kim

Protecting SOI using CA SSO Enabled Apache Proxy Server

Blog Post created by SungHoon_Kim Employee on Jan 14, 2016

Reformatting this previous article for publishing as Knowledge Document.

 

Title:

    - How to protect SOI using Apache Proxy Server (with CA Single Sign-On enabled)

 

Description:

    - You already have CA Single Sign-On in your environment and want to extend its SSO to your new SOI(CA Service Operations Insight).

    - You have Apache Proxy Server (That is CA SSO enabled) in front of SOI and would like to seamlessly SSO to SOI.

    - You tried Apache Proxy Server but with CA SSO enabled you are getting double challenged.

 

Introduction / Summary: 

    - This is based on CA Single Sign-On version R12.52SP1 but this should be generic and not limited to specific version.

    - This is based on SOI 3.1 but newer versions should work the same.

    - This article only covers the part on how to configure the ASF Apache proxy and CA Single Sign-On Realm setting as this is where customers are facing double challenge and fail to SSO.

 

Instructions:

    - Prerequisites:

     * CA SSO and CA SOI are both configured and integrated for SSO.

     * ASF Apache Proxy Server is CA SSO enabled.

     * SOI is accessible via http://soi.kim.net.my:7070/sam

     * Proxy server is accessible via http://soi.kim.net.my

      

    - Following is how the ASF Proxy Server need to be configured.

Apache Proxy Setting for SOI

ProxyRequests off

ProxyPreserveHost on

 

<Location /sam>

                ProxyPass http://soi.kim.net.my:7070/sam

                ProxyPassReverse http://soi.kim.net.my:7070/sam

</Location>

 

 

<Location /sam/admin>

                ProxyPass http://soi.kim.net.my:7090/sam/admin

                ProxyPassReverse http://soi.kim.net.my:7090/sam/admin

</Location>

 

<Location /sam/debug>

                ProxyPass http://soi.kim.net.my:7090/sam/debug

                ProxyPassReverse http://soi.kim.net.my:7090/sam/debug

</Location>

 

To get access to SOI, visit http://soi.kim.net.my/sam/ui and you get access to the backend SOI

 

Following are some additional proxy url for troubleshooting

http://soi.kim.net.my/sam/admin

http://soi.kim.net.my/sam/debug

 

    - Following is the resource filter that need to be protected by CA Single Sign-On.

CA Single Sign-On side realm resource filter
/sam/ui

You can choose your preferred Authentication Scheme to protect this URI.

You MUST NOT protect "/sam" from CA Single Sign-On.

You do not need to create a separate realm to unprotect this, just create a realm only for "/sam/ui" and that is sufficient.

With this configuration, you will not be double challenged.

 

Additional Information:

In case if you were proxying /sam from apache and also protecting /sam from CA Single Sign-On, you get challenged as below when accessing "console".

 

1st challenge (in this  sample, I used Basic Authentication Scheme from CA Single Sign-On)

8a.png

2nd challenge

9a.png

3rd challenge

10.png

Exception

11.png

** This article is now published as a Knowledge Document linked below.

http://www.ca.com/us/support/ca-support-online/product-content/knowledgebase-articles/tec1872722.aspx

 

 

 

Outcomes