Previous Topic: Specify Redirect URLs for Failed SAML 2.0 AuthenticationNext Topic: Enable Client Certificate Authentication for the Back Channel (optional)

Federation GuidesLegacy Federation GuideConfigure CA SiteMinder® as a SAML 2.0 Service ProviderRequest Processing with a Proxy Server at the SP

Request Processing with a Proxy Server at the SP

When CA SiteMinder® receives certain requests at the SP, it validates the message attributes. CA SiteMinder® verifies the attributes using the local URL for Federation Web Services application. After verification, CA SiteMinder® processes the request.

For example, a logout request message can contain the following attribute:

Destination=”http://sp.domain.com:8080/affwebservices/public/saml2slo”

In this example, the destination attribute in the logout message and the address of the Federation Web Services application are the same. CA SiteMinder® verifies that the destination attribute matches the local URL of the FWS application.

If the CA SiteMinder® sits behind a proxy server, the local and destination attribute URLs are not the same. The destination attribute is the URL of the proxy server. For example, the logout message can include the following destination attribute:

Destination=”http://proxy.domain.com:9090/affwebservices/public/saml2slo”

The local URL for Federation Web Services, http://sp.domain.com:8080/affwebservices/public/saml2slo, does not match the Destination attribute so the request is denied.

You can specify a proxy configuration to alter how CA SiteMinder® determines the local URL used for verifying the message attribute of a request. In a proxy configuration, CA SiteMinder® replaces the <protocol>://<authority> portion of the local URL with the proxy server URL. This replacement results in a match between the two URLs.

Configure Request Processing with a Proxy Server at the SP

Specify a proxy configuration to alter how CA SiteMinder® determines the local URL used for verifying the message attribute of a request.

To use a proxy server at the Service Provider

  1. Navigate to the SAML 2.0 authentication scheme you want to modify.
  2. Select SAML 2.0 Configuration, Advanced.
  3. In the Proxy section, enter a partial URL in the Server field. The format is <protocol>://<authority>.

    For example, the proxy server configuration would be: 

    http://proxy.domain.com:9090

    If your network includes the SPS federation gateway, the Server field must specify the SPS federation gateway host and port, for example,

    http://sps_federation_gateway.domain.com:9090
  4. Click OK to save your changes.

The Server configuration affects the URLs for the following services at the SP:

The server value becomes part of the URL CA SiteMinder® uses to verify SAML attributes, like the destination attribute.

Note: If you are using a proxy server for one URL, use it for all these URLs.