|
|
|
When SiteMinder receives certain requests at the IdP, it validates the message attributes using the local URL for Federation Web Services application before processing the request.
For example, an AuthnRequest message from an SP may contain the following attribute:
Destination="http://idp.domain.com:8080/affwebservices/public/saml2sso"
In this example, the destination attribute in the AuthnRequest and the address of the Federation Web Services application are the same. SiteMinder verifies that the destination attribute matches the local URL of the FWS application.
When the SiteMinder federated environment sits behind a proxy server, the local and destination attribute URLs are not the same because the Destination attribute is the URL of the proxy server. For example, the AuthnRequest may include the following Destination attribute:
Destination="http://proxy.domain.com:9090/affwebservices/public/saml2sso"
The local URL for Federation Web Services, http://idp.domain.com:8080/affwebservices/public/saml2sso, does not match the Destination attribute so the request is denied.
You can specify a proxy configuration to alter how SiteMinder determines the local URL used for verifying the message attribute of a request. When a proxy configuration is set, SiteMinder replaces the <protocol>://<authority> portion of the local URL with the proxy server URL, which results in a match between the two URLs.
| Copyright © 2010 CA. All rights reserved. | Email CA about this topic |