Symantec Access Management

Hello,

I have integrated a Web Site with CA Single Sign On. After integrating it, when we enter the url, it prompts for the credentials as it should in the web agent pop up window, but when I provide the correct credentials, it brings the actual page of the web site on which I have to again type the user credentials.

For elaboration lets say I have a website named abc.com and when a user logs in, he gets the page abc.com/out.php.

Since abc.com directly asks for credentials, so I have used "/" as the resource filter in my realm and effective resource is selected to be "*".

I was expecting that after interception, when the user provides the credentials, the url should become abc.com/out.php in which user is seen already logged in, but in actual it doesn't redirect. After providing the credentials it allows to access the abc.com and the user has to provide his credentials again.

I think I am missing out something over here.

Can you please help me in this regard.

Thanking You

Zia

Anybody able to assist Khwaja?

Khwaja Zia ul Hasan wrote:

 

Hello,

 

I have integrated a Web Site with CA Single Sign On. After integrating it, when we enter the url, it prompts for the credentials as it should in the web agent pop up window, but when I provide the correct credentials, it brings the actual page of the web site on which I have to again type the user credentials.

 

For elaboration lets say I have a website named abc.com and when a user logs in, he gets the page abc.com/out.php.

Since abc.com directly asks for credentials, so I have used "/" as the resource filter in my realm and effective resource is selected to be "*".

 

I was expecting that after interception, when the user provides the credentials, the url should become abc.com/out.php in which user is seen already logged in, but in actual it doesn't redirect. After providing the credentials it allows to access the abc.com and the user has to provide his credentials again.

 

I think I am missing out something over here.

 

Can you please help me in this regard.

 

Thanking You

Zia

Hi Zia,

I'm not quite sure what do you mean by "webpage also asks for credentials". Is the webpage serve by web server only or you have backend application server in your case?

If the environment involved web server only, there seems to be two issues here.

1. User not being redirect to abc.com/out.php

2. User being reprompt credentials when access abc.com/out.php

For first issue, there is web server configuration to set default document when client does not request a specific file. For example in IIS manager -> Default Document. For other web server, you might need to check on the documentation to find out how to set the default document. I will use IIS as example. In IIS setting, the default document comprise of index.html. When user access abc.com without specific resource, the web server will look for index.html by default and if it exist, it will display the contents once user authenticate and authorized. In your case, is out.php one of the default document?

For second issue, we need to check from smaccess log whether the user get authentication reject or authorization reject to help us narrow down the scope. If it is authentication reject, the user might not exist in user directory. If it is authorization reject, it could be the policy defined don't have the user specified.

Hope this helps.

Kar Meng

Hi Zia,

I'm not quite sure what do you mean by "webpage also asks for credentials". Is the webpage serve by web server only or you have backend application server in your case?

If the environment involved web server only, there seems to be two issues here.

1. User not being redirect to abc.com/out.php

2. User being reprompt credentials when access abc.com/out.php

For first issue, there is web server configuration to set default document when client does not request a specific file. For example in IIS manager -> Default Document. For other web server, you might need to check on the documentation to find out how to set the default document. I will use IIS as example. In IIS setting, the default document comprise of index.html. When user access abc.com without specific resource, the web server will look for index.html by default and if it exist, it will display the contents once user authenticate and authorized. In your case, is out.php one of the default document?

For second issue, we need to check from smaccess log whether the user get authentication reject or authorization reject to help us narrow down the scope. If it is authentication reject, the user might not exist in user directory. If it is authorization reject, it could be the policy defined don't have the user specified.

Hope this helps.

Kar Meng

Hello Karmeng,

By the term "webpage also asks for credentials" I meant that the SiteMinder Agent prompts when I try to access abc.com. When I provide the correct credentials it displays the abc.com page on which we used to provide the credentials. On this page I again have to type the credentials. After that it logs me in into abc.com/out.php.

Yes the Web Page is served only by the web server, there is no backend application.

As per the details you have provided I have the default page i.e. index.php. In the normal scenario when there was no agent, when we enter the URL abc.com it goes to abc.com/index.php. When we provide our credentials on that screen it goes to abc.com/out.php.

I was expecting the same to happen when we use the agent. But unfortunaltely it is not happening in my case. As I said earlier I had protected the "/" but I also tried the "/index.php" and "/out.php" but no success.

Can I forcefully redirect it to the abc.com/out.php after the user provides his credentials on the popup screen?

I hope now I am able to make you understand the problem I am facing.

Thanking You

Zia

Zia

I think we are missing a point here.

It is not about SiteMinder redirecting to abc.com/out.php. That is achievable by using a redirect response and attaching it to an appropriate rule.

The point that is being missed here is that, index.php has a login logic to accept credentials. When we integrate with SiteMinder, the login logic of index.php needs to be changed to first look at SiteMinder Header Variables. If index.php finds the necessary header variables it needs to process it own login logic, it should redirect to landing page. This is how SiteMinder Session and underlying Application Sessions are synced / trusted.

Hope this helps

Regards

Hubert

Hi Hubert,

Yes exactly. So this is what I believe is the functionality of Siteminder Agent, i.e. to make the website consider the login credentials to be passed from the agent.

Does this mean that I may have misconfigured the agent. I can't see anything useful in the trace logs.

There is one more thing to note that if I use the credentials of testuser1 on the pop-up window of siteminder and enter the credentials of another user on the Web page login screen, it gives me an error. I have to provide the same details for a success login.

Regards

Zia

Zia

SiteMinder Agent would provide the configured Responses in Policy Server in form of HTTP_HEADERS. SiteMinder Agent would not pass login credential to the underlying application. It is the job of the Application Code to read the HTTP_HEADERS that SiteMinder is sending inorder to log the user in.

I don't think the Agent is misconfigured. The Application (PHP Login Code on index.php) needs to be modified to read SiteMinder HTTP_HEADERS instead of expecting a UserName and Password.

I do not have a logical correlation for the last paragraph where it has been suggested that if different user credentials are used, then an error is presented. You'll need to enable some form of logging on PHP to decipher what is going on in this usecase.

http://www.codeproject.com/Articles/80314/How-to-Connect-to-a-SiteMinder-Protected-Resource

http://blogs.msdn.com/b/danielma/archive/2005/11/16/siteminder-and-asp-net.aspx

Please check these link, it gives a precise idea of how SiteMinder HTTP HEADERS should be used.

Regards

Hubert

Zia

Did these inputs help, if so, could we place a request to provide your resolution notes and close the thread.

Regards

Hubert

Hello Hubert,

Yes the information provided was really helpful.

Thanking You

Zia