Changing the Authentication URL context in CA Access Gateway

Document ID : KB000015225
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

You were running federation on WAOP using NewAtlanta ServletExec.

Now you are migrating to CA Access Gateway.

The federation web services was deployed on /affwebservices but you were using different authentication url context.

 

For example, https://server.domain/federation/redirect.jsp instead of https://server.domain/affwebservices/redirectjsp/redirect.jsp or https://server.domain/siteminderagent/redirectjsp/redirect.jsp

 

In the NewAtlanta ServletExec, the startup script has alias settings that you can configure which makes it easy to add an alias URI for document root.

How can this be achieved when using CA Access Gateway?

Question:

How can I use https://server.domain/federation/redirect.jsp as AuthenticationURL when using CA Access Gateway?

 

Environment:
CA Access Gateway with Federation Web Services deployed.
Answer:

If you look at server.conf file, it has the federation section as below.

 <federation>
  enablefederationgateway="yes"
  fedrootcontext="affwebservices"
  authurlcontext="siteminderagent/redirectjsp"
  allowlinking="yes"
  protectedbackchannelservices="saml2artifactresolution,saml2certartifactresolution,saml2attributeservice,saml2certattributeservice,assertionretriever,certassertionretriever"
 </federation>

 

By changing the authurlcontext, you can achieve your goal of using different root context for authentication url.

The use case was to use https://server.domain/federation/redirect.jsp but if you look at the folder structure of affwebservices, the redirect.jsp file is contained under "redirectjsp" folder, thus the default authurlcontext is "siteminderagent/redirectjsp".

To workaround that, you can copy the redirect.jsp file to affwebservices folder and update the server.conf as below.

 <federation>
  enablefederationgateway="yes"
  fedrootcontext="affwebservices"
  authurlcontext="federation"
  allowlinking="yes"
  protectedbackchannelservices="saml2artifactresolution,saml2certartifactresolution,saml2attributeservice,saml2certattributeservice,assertionretriever,certassertionretriever"
 </federation>

 

Then you will need to restart the CA Access Gateway services.

 

You must also ensure that your federation configuration has AuthenticationURL matching whatever you specified above.