Symantec Access Management

Hi Folks,

We had been using the Legacy FSS UI to create SAML Service Providers configurations.  Using the FSS UI we create a new SAML Service Provider and within this configuration UI there is a "Application URL" field where we specify the URL to the custom application that will retrieve additional user attributes and then pass it back to the custom Assertion Generator Plugin (AGP).

With our new SiteMinder r12.52 SP1 CR05, we are encouraged by CA to start using the Federation Partnership method of creating SAML configuration because the "Legacy Federation" method will eventually be discontinued.  What we noticed as we're giving the "Federation Partnership" method a try is that when creating a new "Partnership" the configuration wizard does not have the "Application URL" field/parameter for us to defined so that SiteMinder can redirect the federation request to this custom application to collect additional user information to be passed back to the Custom Assertion Generator Plug-in.

Is there a different way of accomplishing this with the r12.52 version or am I missing a step?

In case folks may still be unclear about my question regarding the "Application URL" field, here is the SiteMinder Administrative UI "Help" description of this configuration field:

Application URL

(Optional) Identifies the protected URL for a custom web application that is used to supply user attributes to the CA SiteMinder® Single Sign-on service. The application can be on any host in your network.

Attributes from the web application specified in this field are made available to the Assertion Generator and then placed in the SAML assertion by an Assertion Generator plug-in. You create the plug-in and integrate it with CA SiteMinder®.

The Federation Web Services application supplies sample web applications that you can use as a basis for your web application. They are:

http://idp_server:port/affwebservices/public/sample_application.jsp

http://idp_server:port/affwebservices/public/unsolicited_application.jsp

idp_server:port

Identifies the web server and port hosting the Web Agent Option Pack or SPS federation gateway.

Thanks in advance!

Duc Tran

Hello Duc,

The Application URL parameter is missing in Partnership Federation. This is a known issue and there is a ticket open with our Engineering team to fix this in the upcoming releases.

In the mean time, there is a workaround to add the Application URL in the Partnership. Here is a Tech Note which describes the steps: 

http://www.ca.com/us/services-support/ca-support/ca-support-online/knowledge-base-articles.tec1018201.html

Thanks,

Akshata

Hi Akshata,

Thank you for this information.  Do you know if the release will be a hotfix patch for the policy server or will it be a full release requiring policy server upgrade/re-install?

Hi Duc,

The fix will be part of a full GA release of the Policy Server and will require an upgrade. If you would like to request a Dev Fix, I would encourage you to open a case with CA Support. That way Support can formally engage Engineering to see if a Dev Fix can be provided in your situation after the bug is fixed.

Thanks,

Akshata

Hello Akshata,

I would like to revisit this discussion because we are now in the process of upgrading to R12.8 from our current R12.52 and we learned that the latest release still does not addressed the missing "Application URL" parameter for the Partnership Federation model.  This is extremely disappointing as we will not be able to switch from the Legacy Federation model to the Partnership model because our custom AGP will not work without the "Application URL" parameter.

Any thoughts on this?

Hello Duc,

Just wanted to check if you opened a support case for this?

Thanks,

Manjari 

Hi Manjari,

My apologies for such a late response.  I first brought this issue up about a couple of years ago and I think I had probably opened a support case with CA on this back then.  I just can't believe that more than three years ago since the release of R12.5 which provided the "Partnership Federation" model that this bug still has not been addressed.  The "Application URL" is a very important part of the Assertion Generator Plugin (AGP).