Reformatting this previous article for publishing as Knowledge Document.
- How to protect SOI using Apache Proxy Server (with CA Single Sign-On enabled)
- You already have CA Single Sign-On in your environment and want to extend its SSO to your new SOI(CA Service Operations Insight).
- You have Apache Proxy Server (That is CA SSO enabled) in front of SOI and would like to seamlessly SSO to SOI.
- You tried Apache Proxy Server but with CA SSO enabled you are getting double challenged.
Introduction / Summary:
- This is based on CA Single Sign-On version R12.52SP1 but this should be generic and not limited to specific version.
- This is based on SOI 3.1 but newer versions should work the same.
- This article only covers the part on how to configure the ASF Apache proxy and CA Single Sign-On Realm setting as this is where customers are facing double challenge and fail to SSO.
* CA SSO and CA SOI are both configured and integrated for SSO.
* ASF Apache Proxy Server is CA SSO enabled.
* SOI is accessible via http://soi.kim.net.my:7070/sam
* Proxy server is accessible via http://soi.kim.net.my
- Following is how the ASF Proxy Server need to be configured.
|Apache Proxy Setting for SOI|
To get access to SOI, visit http://soi.kim.net.my/sam/ui and you get access to the backend SOI
Following are some additional proxy url for troubleshooting
- Following is the resource filter that need to be protected by CA Single Sign-On.
|CA Single Sign-On side realm resource filter|
You can choose your preferred Authentication Scheme to protect this URI.
You MUST NOT protect "/sam" from CA Single Sign-On.
You do not need to create a separate realm to unprotect this, just create a realm only for "/sam/ui" and that is sufficient.
With this configuration, you will not be double challenged.
In case if you were proxying /sam from apache and also protecting /sam from CA Single Sign-On, you get challenged as below when accessing "console".
1st challenge (in this sample, I used Basic Authentication Scheme from CA Single Sign-On)
** This article is now published as a Knowledge Document linked below.