Symantec Access Management

Hi, I want to use form based authentication to authenticate to our IDP for a federation partnership. SPS is being used as Federation Gateway. Is it possible to use the same SPS server to host Form based login page, like other webagents?

I noticed there is a examples/forms/login.fcc shipped with the product. I copied that folder to Tomcat/webapps and tried to access one of the .fcc pages but I get a message saying: 

Server Error: Server was unable to process your request.

Is there something I can do to tell Tomcat on how to process this specific file type? Or Should I move this login process to front end apache level? Appreciate any insights.

Hi Anil,

I do not see conflict between using SPS Federation Gateway as regular agent, but per documentation, there are limitations:

"Limitations of the CA SiteMinder® SPS Federation Gateway

Note the following limitations when using the CA SiteMinder® SPS federation gateway:
--The prefilters and postfilters (both built-in and custom-configured) do not execute when federation resources are being requested. For non-federated requests that are fired for the default context, these filters execute as usual.
--Proxy rules do not execute when federated resources are being requested. For non-federated requests that are fired for the default context, these rules execute as usual.

"

This indicates SPS as Federation Gateway does handle non-federated requests.

You may have to introduce configuration change in proxyrules.xml to make that happen.

By default, I think the login page is at ~/proxy-engine/examples/forms/login.fcc, if you want to change the look and feel, no problem. However if you change the default location, there are other setting needs to be changed as well, such as document_root defined under server.conf.

There is a section in SPS "Modify the Default Location of the SiteMinder Forms", a bit old, but give you an idea what may required when you do that. "Note: If you customize the location of the forms folder, ensure that you update the httpd.conf file with the location of the forms images. "

Depending on how much customization you would get into, CA service can always be an option if you are stuck.

Hope this helps.

Hongxu

As Hongxu pointed out , you can use SPS agent as any normal agent. and yes, it does support hosting its login.fcc (and other fcc) on it's own. You don't need to copy/move any files.

Just using the default configuration should be sufficient.

Thank You both.

I created an auth scheme with default settings. I get redirected to the login page in the URL bar as defined in SM authentication scheme. However browser renders the following message:

SM-SPS-02001

does nt show anything else.

Appreciate any input.

The error SM-SPS-02001 is generic and means a configuration error.

Probably due to virtual host configuration.

Something else that you can do is to check is.

1. hostname : http://hostnameurl
Do you have the corresponding Virtual host definition ?

2. Check that the WebAgent.conf has the correct pluggin loaded

HttpPlugin.dll
SPSPlugin.dll

3.Enable Logging to debug

authaz-log4j.xml

You may check the following community thread for other similar issues:

https://communities.ca.com/thread/241726246

Hongxu

Thanks HongXu. was not aware that SM-SPS-02001 is config error. Good to know that for future. Thank you very much for such timely response. 

Anything in the webagent trace log, server.log ?

Webagent trace clearly shows that it failed to server login.fcc. There is no login.fcc in the default folder for SPS , it should be chslogin.fcc. Updated Auth scheme with correct name and all is well now.