AnsweredAssumed Answered

CA SPS Federation Gateway Question

Question asked by rusad02 Employee on Mar 15, 2016
Latest reply on Mar 18, 2016 by rusad02

Hi all,

 

I have a question regarding using the CA SPS as a Federation gateway.

 

In my use case I have one SPS instance with multiple virtual hosts defined. I have already used the nete:cond type="host" criteria for the entry point to proxy the host header field to the respective backend servers the virtual hosts are defined for.  What is the recommended approach then for only allowing a single one of these virtual hosts to be used for access to the federation servlets?

 

In my case currently I am able to hit the /affwebservices/assertionretriever from all virtual hosts

 

https://federationgateway.example.com/affwebservices/assertionretriever

 

https://virtualhost2.example.com:11443/affwebservices/assertionretriever

 

https://virtualhost3.example.com:12443/affwebservices/assertionretreiver

 

I would like to limit this to only the example virtual host https://federationgateway.example.com/affwebservices/assertionretriever

 

Previously when I have used just Apache and web agent option pack on application server this would be easy to define with the proxypass, proxypassreverse and !proxy rules.

 

I've seen previous discussions where some were setting up multiple instances of SPS to handle multiple nete:conditions but this seems cumbersome for the task.

Each of my virtual hosts are using a separate WebAgent.conf, but would like to handle the rules at the proxy level instead of at the SSO level. I'm guessing there is a simple way to do this and I am overlooking it.

 

Thank you for the help,

 

Adam

Outcomes