Authentication behaviors of WebAgents in different configurations

Document ID : KB000123531
Last Modified Date : 09/01/2019
Show Technical Document Details
Introduction:
CA Single Sign-On is used in the environment below.

[Environment]
There are two web servers with the Web Agent.
One is the main server and the other is reserved server.

1. Usual
Serving the contents from the main server alone.

2. During the maintenance of the contents on the main server
The main server is used as a Reverse Proxy to the reserved server.
Serving the contents from the reserved server.

3. Downtime of the main server
Serving the contents from the reserved server.
Clients directly access the reserved server.
Ā 
Question:
For the third case, is it possible to let the reserved server authenticate users?
In this case, the same domain policies are applicable to both servers, aren't they?
Answer:
The domain policies defined for an Agent Group are applied to all agents in the group in the same manner. If both agents on "main server" and "reserved server" are in the same Agent Group, the realm and the corresponding Auth Scheme for the Agent Group are applied to both agents.

When the main server is configured as the Reverse Proxy (case 2), an SMSESSION cookie is created on the server after authentication and issued to the client. The client can single sign-on to the reserved server by passing the SMSESSION cookie. If the client accesses to the reserved server directly (case 3), the authentication is done on the reserved server.

By configuring the Agent Configuration Object(ACO) for the main server "ProxyAgent=yes" and the ACO for the reserved server "ProxyTrust=yes", the reserved server skips the validation of the SMSESSION cookie for reducing the load on the reserved server and the Policy Server when the authentication has been done on the Reverse Proxy server.