Symantec Access Management

Hi

Please suggest for a web-agent based solution on Apache. How can i forward my request to a specific web-page after successful login through the html login server

I have a dedicate logon server serving html page to various application. The thing i want to achieve is when the url clicks on application URL hosted on a webserver and protected by CA -SSO webagent 12.52 Sp1 cr06 on a linux VM, he should be taken to the SSO login page and after successful login is done, the user should be taken to another wrapper application which is hosted on cloud.

e.g Application URL :: https://abcd.mydomain.com >> User is taken to the SSO login page >> After successful login >> The request is forwarded to wrapper application >> http://defg.mydomain.com >> after that the wrapper forwards the control back to the application >>https://abcd.mydomain.com 

The POC that i want to achieve is how to forward the request with the help of SSO login page to the wrapper application.

Please note that the login page is common and i dont want to disrupt the functionality of other apps using the logon server.

Thanks,

Pallavi

So let me clarify this - your requirement is once user hits SSO protected Application URL :: https://abcd.mydomain.com after Successful login web agent should redirect to application page  >>https://abcd.mydomain.com and  request should not be forwarded through wrapper application >> http://defg.mydomain.com Correct ?

Hi ,

It is actually a complicated solution. I'm working on a different strategy now. I need to modify my Target attribute which comes in URL when the policy server makes a post request to the login server.

I need to know if there is any way this target can be modified on the very first time when it comes from the policy server.

Hardcoding target in login.fcc doesnt seem to solve my purpose. As the target is getting modified when the login.fcc page is submitted.

Or is there a possibility to modify the target when the user makes the first get request to the SSO webagent.

e.g

my URL looks like

https://mydomain.com/siteminder/loginpage?TYPE=33554433&REALMOID=06-0009c721-7f1b-176b-9c74-f0d10a9c904d&GUID=&SMAUTHREASON=… 

try to attach response in webagent accept rule, once user is authenticated webagent should redirect user to desired URL define in response.

No luck, it is not solving my purpose. No ive created OnAuthAcceptredirect Response and i want to redirect to the the particular URL which is again protected by SSO. It is presenting me the login page once again.

Hi Pallavi,

The login page appears again probably because of AzReject. You should be able to see this in trace log. Did you check that all realms have the Webagent GET, POST actions allow rule in policy? and the user group for the policy is set to the same?

regards,

Zen

Let me explain to you what im trying to achieve

step 1: User Makes a get request to the resource e.g

https://WebApplication.MyDomain.com

Step 2 It goes through several data protection servers and then finally from the last server makes the get request to the webserver e.g as

https://WebApplication-Secret.MyDomain1.com (We don't want the user to know this URL the user should be able to see this url as it is a internal URL)

3 Now on the HTML login pagin what we see is below URL (Which has the target of the Step2 and i dont want the user to be able to see that Target)

https://myloginServer/myloginpage.fcc?tTYPE=335544&REALMOID=06-00048-cc96-170f-a7b0-f01d&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-EZuEDqWcEfSF%2f6XwkG6&TARGET=-SM-HTTPS%3a%2f%2fmyWebApplication-Secret%2eMyDomain1%2ecom

4. Is there any way i can stop this value of target showing in the URL of the login page.

Ive tried to hardcode the $$Target$$ in myloginpage.cc but on submit of the login page it is redirecting to the same login page with the new Target value. I dont want to show login page twice to the user with different targets.

Hi Pallavi,

If you enable SecureURL, users will never get to see the TARGET variable in the URL. everything will be encrypted into a single variable SMQUERYDATA which only the agent will know how to decrypt.

The login page URL will look something like this

https://sso.mycompany.com/auth/login.jsp?SMQUERYDATA=-SM-ZVH%2fjGfVJEwX4sMCEhEG5wbdvD24Ps72QCj0cHrdAI%2bqOqVw%2b7HO1ITr8qk9xAm6KX46ON85dNosHh3V29dA0fSRsM2SQ0oK05FVlgXwcOuddWdkUpShUO1xF%2bb84bkWwtT6Jz%2bZTSnR8zt1SEERthl%2brSvUOCkD3TiXlKO76Tmd68AHFoshsZtt3yMMFUmOVCDr2ONl%2b8tNFkeGXmguVS9OnBvaF5oT5idDhaOxjORPKXv3wO3Cle%2b9hdgARtQey8ct2OO3oZ8vdBX3HJ11Vdg5J2mpjHm2WPhRu87YC3qGzBYJjJsrkVFVKw9Ewc2W116L9XoQoB0ZKh0Nzx3wmp0Ck3ugrPQxv%2fkpFdz4S2MnGYUMRzFJTKE29LsY9871HRttaL7dTOPALxUNHCnjVpLjp6TLVqZIRnvLvwz6NL4YgUENcte5xfphs%2bIh7LDId8OwuBvu%2ft0Oujq4%2f5vYvUkF5%2ff%2bSl7c8VIMDOwC1x7X6IH4tNbSZQNW4mRoyYG%2bQ%2bQrLGGwgMh7ndPO9g%2fhHEMON7xnt5zGBrYG3MX8kymRj8QqIt9Nx%2b0DwQ0hlyd%2bWfWtVVVb7IOwqndXnVIP4TO2ictFJ8NGYg2c8B5vH42%2blAeCO%2bi%2bMZXKB%2bLG4SkTAxU6%2fK6xBMfUX1GDKeZlh7It7dAb2Iiym%2fNC5UuBrz2BjW1mzqhKYGHvqjNdqe8YXdprsiPFv1NKLNMqcNy2bxLWYGQPZJxPsAHNeLOENwFYZ%2bD6Olf6iWBgtgyuDGUmmy5j2dLgylQh1a%2fmA9m%2bBArnK7hNahCMWQ34Df9ImHtT1sH85BwHaiO6RNzDMm94LefXFn9O%2bZ5IOsopA3cT7da7VqZPN9rJyFEUSUbCiCiUDZoLHzYI%2bsBwxymGutj%2fD4b%2fxAAlF6HVCMlIyPdNWuFCcWUzNsf2ZkOGNFrRagQT63IobcOa%2bzHi2zLtZFCBf1r2xTqeEFiS67ZdHwJ3ymUfwlbn%2f%2fLrmEhXvO5aEXUU%2fSx%2fdMd8UkvlbJwswXtrosUoalUTUzp1sFrc0xgrwF6g9hmcQ%2fcfwnTQ98Dyap8OHFPWLhBGvuCPCjqcdt021uBXeHmPHlUfVg0kHP6mjBWM1O4NqNFNqMILH79zQgWpa068gPmCbASRYIkabLJ%2bYusvZ9lWXzWDkVezot1u1RQJhHnEcrBZFUndN6t6s8pKXLzHPvpuuEShVR4UhytAoa8nXx5CVuYGCFOf5ZOpDAP8GfqH%2bsVRKMHvSGAYJzQUHy9yA9dXuZ4rZf3b8tWx6ZIjcGFqLnJ9N50qtyShIw764%2fXby%2bOuEcoEoHDILJzMC%2bmT9Ap%2be4l%2f72vlVnOV

read here for more info about SecureURL configurations.

https://docops.ca.com/ca-single-sign-on/12-8/en/configuring/web-agent-configuration/forms-authentication/how-to-configure-an-agent-to-support-html-forms-authentication/configure-advanced-fcc-settings/encrypt-query-string-parameters-in-redirection-urls 

regards,

Zen

You just need to setup Apache Reverse Proxy configurations. Refer the below links.

How to use Apache as Reverse Proxy on CentOS & RHEL - LinuxTechLab 

https://www.slashroot.in/how-configure-basic-apache-reverse-proxy 

Hi Ashok,

Can you provide more concrete information on how to configure this through reverse proxy in apache ?

Thanks,

Pallavi

I might be missing something but this seems to be a straightforward job for the onAuthAccept event.

Create onAuthAccept rule in  https://abcd.mydomain.com realm

Then add that rule into policy and set response to onAcceptRedirect which sets the redirect URL to be http://defg.mydomain.com.

Not quite sure what's the challenge here.

regards,

Zen