Skip to content
CA Single Sign-On - 12.52 SP2
Documentation powered by DocOps

Protect the Authentication URL to Establish a Session

Last update April 17, 2019

A user must have a session at the IdP Policy Server for the Policy Server to generate an assertion. To establish the session, the single sign-on service at the IdP redirects the user to an application using an authentication URL. The Authentication URL must point to the redirect.jsp file, which is installed with the Web Agent Option Pack or Access Gateway product. Protect the authentication URL with a policy so that the user is presented with an authentication challenge. After the user logs in and is successfully authenticated, a session is established. The redirect.jsp application then redirects the user back to the single sign-on service for assertion generation.

Two steps are required to enable session creation:

  1. Create a policy to protect the redirect.jsp file.

  2. Specify the Authentication URL in a partnership.

Create the Policy for the Redirect.jsp

  1. Log in to the Administrative UI.

  2. Select Infrastructure, Agents, Create Agent.
    To bind to the realm defined for the asserting party web server, create a web agent. Assign unique agent names for the web server.

  3. Select Policies, Domain, Domains, Create Domain.
    Create a policy domain for the authentication URL. Add the user directory that contains the users who get challenged.

  4. Select the users that must have access to the resources that are part of the policy domain.
  5. Select the Realms tab and define a realm for the policy domain with the following values:
    • Agent
      Agent for the asserting party web server that you created in step 2.
    • Resource Filter
      Use one of the following paths to the redirectjsp folder as the resource filter. T he CA Web Agent Option Pack and the CA Access Gateway use this resource filter.
      • Direct path:  /affwebservices/redirectjsp/
      • Virtual path: Path to the server where the redirectjsp folder exists. A common virtual path is /siteminderagent/redirectjsp, which is set up when you configure the Web Agent with the Web Agent Option Pack or the Access Gateway. The virtual path points to the following virtual directory:
        • Web Agent:
          web_agent_home/affwebservices/redirectjsp
        • CA Access Gateway:
          access_gateway_home/secure-proxy/Tomcat/webapps/affwebservices/redirectjsp
    • Default Resource Protection
      Protected
    • Authentication Scheme
      To protect the authentication URL, select any authentication scheme or specify a custom authentication scheme. For example, you can use a custom authentication scheme that has an alternate login flow to an SSO-provided scheme. The redirect.jsp then handles the redirect back to the federation process.
      Default: Basic
    • Persistent Session
      Select the Persistent check box in the Session section of the realm dialog to store session information. Session information is required for features such as single logout and for an attribute authority

     6. In the Rules section of the realm dialog, click Create Rule. Complete the fields with the following values:

    • Resource
      /*
      The asterisk means that the rule applies to all resources in the realm.
    • Allow/Deny and Enable/Disable
      Allow Access
      Enabled check box is selected.
    • Action
      Web Agent actions
      Get, Post, Put

     7. Select the Policies tab and create a policy that includes the following components:

    • The set of users you selected your user directory.

    • The realm that contains the redirectjsp application and the associated rule.

A policy now protects the authentication URL. An authentication challenge is triggered when the user is redirected to this URL. Finally, a session is created.

Specify the Authentication URL in a Partnership

After you configure a policy to protect the Authentication URL, specify this URL in the asserting-to-relying party partnership, such as an IdP->SP partnership.

The Authentication URL is set as part of the single sign-on configurations. In the Authentication section of the dialog, select Local for the Authentication Mode field and enter the complete Authentication URL. Examples:

  • Direct URL: http://webserver1.example.com/affwebservices/redirectjsp/redirect.jsp
  • Virtual URL: http://webserver1.example.com/siteminderagent/redirectjsp/redirect.jsp
    In this URL, siteminderagent is an alias to a virtual path.

In these examples, webserver1 is the web server with the Web Agent Option Pack or the Access Gateway installed at the Identity Provider.

Was this helpful?

Please log in to post comments.