Protecting SOI using CA SSO Enabled Apache Proxy Server

Blog Post created by SungHoon_Kim Employee on Jan 14, 2016

Reformatting this previous article for publishing as Knowledge Document.



    - How to protect SOI using Apache Proxy Server (with CA Single Sign-On enabled)



    - You already have CA Single Sign-On in your environment and want to extend its SSO to your new SOI(CA Service Operations Insight).

    - You have Apache Proxy Server (That is CA SSO enabled) in front of SOI and would like to seamlessly SSO to SOI.

    - You tried Apache Proxy Server but with CA SSO enabled you are getting double challenged.


Introduction / Summary: 

    - This is based on CA Single Sign-On version R12.52SP1 but this should be generic and not limited to specific version.

    - This is based on SOI 3.1 but newer versions should work the same.

    - This article only covers the part on how to configure the ASF Apache proxy and CA Single Sign-On Realm setting as this is where customers are facing double challenge and fail to SSO.



    - Prerequisites:

     * CA SSO and CA SOI are both configured and integrated for SSO.

     * ASF Apache Proxy Server is CA SSO enabled.

     * SOI is accessible via

     * Proxy server is accessible via


    - Following is how the ASF Proxy Server need to be configured.

Apache Proxy Setting for SOI

ProxyRequests off

ProxyPreserveHost on


<Location /sam>






<Location /sam/admin>





<Location /sam/debug>





To get access to SOI, visit and you get access to the backend SOI


Following are some additional proxy url for troubleshooting


    - Following is the resource filter that need to be protected by CA Single Sign-On.

CA Single Sign-On side realm resource filter

You can choose your preferred Authentication Scheme to protect this URI.

You MUST NOT protect "/sam" from CA Single Sign-On.

You do not need to create a separate realm to unprotect this, just create a realm only for "/sam/ui" and that is sufficient.

With this configuration, you will not be double challenged.


Additional Information:

In case if you were proxying /sam from apache and also protecting /sam from CA Single Sign-On, you get challenged as below when accessing "console".


1st challenge (in this  sample, I used Basic Authentication Scheme from CA Single Sign-On)


2nd challenge


3rd challenge




** This article is now published as a Knowledge Document linked below.