Symantec Access Management

  • 1.  CA SSO federation authentication URL

    Posted Jul 20, 2017 11:37 AM

    A user must have a session at the IdP Policy Server for the Policy Server to generate an assertion. To establish the session, the single sign-on service at the IdP redirects the user to an application using an authentication URL.

    I have the following use case:

    Federation A with authentication URL A (auth url A belong to a domain joined to USERSTOREA), all users in USERSTOREA are autorized for FederationA

    Federation B with authentication URL B (auth url B belong to another domain joined to USERSTOREB), all users in USERSTOREB are autorized for Federation B

    If the user trigger the federation A without a session, he is redirected to authentication URL A and after providing the USERSTOREA credentials, the SAML assertion is generated.

    At this point if the user trigger the Federation B, since he has already a session at the IdP , the authentication URL B is not invoked, and so the user got and AZ reject since USERSTOREA users are not allowed to the Federation B.

    Is there a way to challenge the user for credentials when triggering the Federation B even if it has already gained a session when calling Federation A?

     

     

     



  • 2.  Re: CA SSO federation authentication URL

    Broadcom Employee
    Posted Jul 21, 2017 09:03 PM

    I believe you can address this use case by protecting the saml2sso URL instead of relying on the Authentication URL.  This will allow the authorization failure that will occur when a user moves from A to B to occur outside of the FWS (Federated Web Services) and thus avoid the dead-end that occurs when a user fails authorization for assertion generation.  The default behavior of an authorization failure outside of FWS is to challenge the user for authentication, but of course this behavior is very configurable with rule/response pairs.

     

    Protecting the saml2sso URL is a supported use case.  It assures that only authenticated and authorized users access the URL and thus the Authentication URL is never needed since it is only invoked when an unauthenticated user accesses saml2sso.

     

    Also note that if Federation A and B happen to be hosted either in different DNS domains or on different web servers, you have the opportunity to either put A and B into separate cookie domains, or in separate SSO Zones.  Both of these options would prevent the sessions from A and B from conflicting the way they are now as the session cookie for A and B would have different names.  These options may require major changes and thus why presented as secondary options.