AnsweredAssumed Answered

CA SSO (SiteMinder) Apache web agent with AWS Application Load Balancer (ALB)

Question asked by dmt953 on Sep 24, 2018
Latest reply on Sep 27, 2018 by dmt953

We had deployed web applications on AWS before with Apache web server and the AWS classic load balancer and this setup seemed to be working fine.  We then switched out the AWS classic ELB load balancer to use the ALB (Application Load Balancer) and now encountering an issue with the web agent.  Here is the specific of the issue:

 

With the SiteMinder web agent "Disabled" below is the normal expected behavior:

1) with the web agent "Disabled", we request: https://www.company.com

2) the web request goes to the AWS ALB load balancer

3) the load balancer send the request to one of the several Apache web servers in the pool member.

4) The web URL still remain at https://www.company.com and the web content is display from the Apache web servers.

 

With the SiteMinder web agent "Enabled", below is the behavior:

1) user request https://www.company.com

2) the web request goes to the AWS ALB load balancer

3) web agent redirect browser to IWA auth scheme

5) IWA auth scheme completed user authentication and creates SMSESSION cookie

6) web browser is redirected to AWS server name: https://internal-chp-adif-sm-sso-dev-1108094247.us-west-2.elb.amazonaws.com as the web URL rather than https://www.company.com

 

We had tried so many different ACO and Apache configuration settings, but cannot figure out why the web agent will change the web URL from the initially requested URL of the load balancer to server's host name.  Below is a snippet of the agenttrace, but please see the attached agent.log and agenttrace.log files:

 


[09/24/2018][22:58:58][15818][2485028928][CSmHighLevelAgent.cpp:322][ProcessRequest][70ab350c7e9e0ea85ed5238f761eb4c8-3dca-5ba96c32-941e8840-ae2e73d2b076][][][][][][Start new request.]
[09/24/2018][22:58:58][15818][2485028928][CSmResourceManager.cpp:75][CSmResourceManager::ProcessResource][70ab350c7e9e0ea85ed5238f761eb4c8-3dca-5ba96c32-941e8840-ae2e73d2b076][][][][][][Calling SM_WAF_HTTP_PLUGIN->Proce
ssResource.]
[09/24/2018][22:58:58][15818][2485028928][CSmHttpPlugin.cpp:258][CSmHttpPlugin::ProcessResource][70ab350c7e9e0ea85ed5238f761eb4c8-3dca-5ba96c32-941e8840-ae2e73d2b076][][][][][][Setting FIPS MODE = 1]
[09/24/2018][22:58:58][15818][2485028928][SmApache24WebFilterCtxt.cpp:1744][CSmApache24WebFilterCtxt::SetP3PCompactPolicy][][][][][][][sP3PCompactPolicy: '']
[09/24/2018][22:58:58][15818][2485028928][CSmHttpPlugin.cpp:399][CSmHttpPlugin::ProcessResource][70ab350c7e9e0ea85ed5238f761eb4c8-3dca-5ba96c32-941e8840-ae2e73d2b076][][][][][][Resolved HTTP_HOST: 'internal-chp-adif-sm-
sso-dev-1108094247.us-west-2.elb.amazonaws.com'.]
[09/24/2018][22:58:58][15818][2485028928][CSmHttpPlugin.cpp:5340][Entered CSmHttpPlugin::ResolveFQServerName sHost: ][][][][][][][internal-chp-adif-sm-sso-dev-1108094247.us-west-2.elb.amazonaws.com]
[09/24/2018][22:58:58][15818][2485028928][CSmHttpPlugin.cpp:5536][CSmHttpPlugin::ResolveFQServerName, DNSLookups disabled, checking to see if cookiedomain added!][][][][][][][internal-chp-adif-sm-sso-dev-1108094247.us-w
est-2.elb.amazonaws.com]
[09/24/2018][22:58:58][15818][2485028928][CSmHttpPlugin.cpp:490][CSmHttpPlugin::ProcessResource][70ab350c7e9e0ea85ed5238f761eb4c8-3dca-5ba96c32-941e8840-ae2e73d2b076][][][][][][Resolved hostname: 'internal-chp-adif-sm-s
so-dev-1108094247.us-west-2.elb.amazonaws.com'.]
[09/24/2018][22:58:58][15818][2485028928][CSmHttpPlugin.cpp:509][CSmHttpPlugin::ProcessResource][70ab350c7e9e0ea85ed5238f761eb4c8-3dca-5ba96c32-941e8840-ae2e73d2b076][][][][][][Resolved agentname: 'aws_adifadmin-dev'.]
[09/24/2018][22:58:58][15818][2485028928][CSmHttpPlugin.cpp:5717][CSmHttpPlugin::ResolveClientIp][70ab350c7e9e0ea85ed5238f761eb4c8-3dca-5ba96c32-941e8840-ae2e73d2b076][][][aws_adifadmin-dev][][][Resolved Client IP addre
ss '10.51.156.147'.]

Attachments

Outcomes