Patrick-Dussault

Tech Tip : CA Single Sign-On : CA AGW Partnership federation/ configuration assistance would be needed for redirect

Discussion created by Patrick-Dussault Employee on Jun 28, 2018

Issue:

 

I have installed CA Access Gateway (SPS) 12.7 and I'am testing for
first time a Parnership Federation with Policy Server 12.7, so that CA
Access Gateway (SPS) is acting as SAML2 IdP and myseconddomain
http://www.myseconddomain.com/ is acting as SAML2 SP.

Login pages are on the CA Access Gateway (SPS).

When I start login flow from sp.myseconddomain.com, the Authentication
URL redirects properly to login page where both authentication and
authrozation are processed successfully and a SMSESSION is created.

The problem occurs with redirect.jsp. When the browser goes to that
redirect.jsp page, the browser doesn't get redirected back to the
Federation Resource /affwebservices/public/saml2sso.

I have configured the Authentication URL to
https://AGW.myfirstdomain.com/affwebservices/redirectjsp/redirect.jsp
in Parnership Federation Configuration.

In CA Access Gateway (SPS) Federation has been enabled and the
Authentication URL has been set to default siteminderagent/redirectjsp
there.

First login fails because of redirect. In second try when SMSESSION
exists already login flow is successful. SAML response is returned to
myseconddomain SP site.

 

Cause:

 

From the flow, we see the SMPORTALURL is encrypted :

https://AGW.myfirstdomain.com/affwebservices/redirectjsp/redirect.jsp?SAMLRequest=dasdSADDQdasDasDEASsDASda223qdasDSasewS%3&RelayState=cookie%3A1529414dsa4d45454&SMPORTALURL=KdleL33sa2slslaxxsldllewsa&SAMLTRANSACTIONID=e1e30973-c7df59c2-9dfds9ce-5rdd355e-7e9ww830-4f


Here we should see the SMPORTALURL value decrypted.

 

Resolution:

 

Disable the "Use Secure URL" option in the Partnership, this will only
URL Encode the SMPORTALURL value, to avoid the Federation Service to
redirect the browser to an encrypted target value.


KB : KB000102821

Outcomes