|
|
|
Before SOA Security Manager processes a request as an Identity Provider, it validates the message attributes using the local URL for the Federation Web Services application.
For example, an AuthnRequest message from an SP can contain the following attribute:
Destination="http://idp.domain.com:8080/affwebservices/public/saml2sso"
In this example, the destination attribute in the AuthnRequest and the address of the Federation Web Services application are the same. SOA Security Manager verifies that the destination attribute matches the local URL of the FWS application.
If SOA Security Manager sits behind a proxy server, the local and destination attribute URLs are not the same. The Destination attribute is the URL of the proxy server. For example, the AuthnRequest can include the following Destination attribute:
Destination="http://proxy.domain.com:9090/affwebservices/public/saml2sso"
The local URL for Federation Web Services, http://idp.domain.com:8080/affwebservices/public/saml2sso, does not match the Destination attribute so SOA Security Manager denies the request.
You can specify a proxy configuration to alter how SOA Security Manager determines the local URL for verifying a message attribute. If you specify a proxy, SOA Security Manager replaces the <protocol>://<authority> portion of the local URL with the proxy server URL. The result is a match between the two URLs.
| Copyright © 2011 CA. All rights reserved. | Email CA Technologies about this topic |