Hi,
the SPS is build from 2 components:
1. Apache HTTPD
2. Tomcat
SPS flow:
1. request enters the Apache HTTPD server
2. request is routed (using mod_jk) to the Tomcat instance (using default port 8009)
3. agent on tomcat check access (from cache or from policy server)
4. if access is okay, the proxy rules kick in
proxy rules are mapping from external requested URL to your backend servers.
you can find very useful examples inside the proxy-engine/example folder
the siteminder guide is also very useful:
Proxy Rules Configuration - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation
So,
after the user authenticate (SMSESSION returned in the response) the user should be redirected to a protected resources. once this request hits the SPS and access is validated, the request is routed using the proxy rules:
for example (from the guide):
<nete:cond type="uri" criteria="beginswith">
<nete:case value="/hr">
<nete:forward>http://hr.company.com$0</nete:forward> </nete:case>
<nete:case value="/employee">
<nete:forward>http://employees.company.com$1 </nete:forward>
</nete:case>
</nete:cond>
means that if a request that start with "/hr" hits the SPS and passes the access validation part, this request will be forwarded (nete:forward) to http://hr.company.com$0 where $0 includes the /hr and everything after.
Oren