Configure a reverse proxy point of contact server

Configure a reverse proxy point of contact server

Configure a SAML 2.0 or OpenID Connect federation requires setting up a reverse proxy instance as the point of contact. We can use these instructions to configure a reverse proxy instance, or we can use the Web services REST APIs. The REST API topic is located in...
Web > Manage > Reverse Proxy > Federation Configuration

If we use the Web services REST APIs to configure a reverse proxy instance, ensure the junction name is /isam. The reverse proxy instance used to authenticate users at the identity provider and protects services at the service provider. We must have a reverse proxy instance for both the service provider and the identity provider. See Reverse proxy instance management.
Steps

Import the federation runtime SSL certificate into the reverse proxy trusted signer certificates keystore.
Use the pdamin command, create the /isam junction to the federated runtime.
server task hostname-webseal-instanceName create -t ssl -c all -s -b ignore -j -e utf8_uri -J inhead -r -q /sps/cgi-bin/query_contents -f -h runtimeHostname -p runtimePort /isam

Update the reverse proxy configuration file using the local management interface:

Click Web > Manage > Reverse Proxy.
Select the reverse proxy instance to update, and click Manage > Configuration > Edit Configuration File.
Edit the configuration file with the following stanzas and entries, depending on the federation protocol:

SAML 2.0

[ba]: ba-auth = none [forms]: forms-auth = https [authentication-levels]: level = ext-auth-interface [eai]: eai-auth = https retain-eai-session = yes eai-verify-user-identity = no eai-redir-url-priority = yes [eai-trigger-urls]: trigger = /isam/sps/auth* trigger = /isam/sps/federation_name/saml20/soap* trigger = /isam/sps/federation_name/saml20/slo* trigger = /isam/sps/federation_name/saml20/login* [session]: user-session-ids = yes

Legacy OpenID Connect

[ba]: ba-auth = none [forms]: forms-auth = https [junction:/isam]: reset-cookies-list = *JSESSIONID*,*WAS* (RP ONLY) [authentication-levels]: level = ext-auth-interface (RP ONLY) [eai]: eai-auth = https eai-redir-url-priority = yes (RP ONLY) [eai-trigger-urls]: trigger = /isam/sps/oidc/client/federation_providerID*

OpenID Connect Relying Party

[ba]: ba-auth = none [forms]: forms-auth = https [junction:/isam]: reset-cookies-list = *JSESSIONID*,*WAS* [authentication-levels]: level = ext-auth-interface [eai]: eai-auth = https eai-redir-url-priority = yes [eai-trigger-urls]: trigger = /isam/sps/oidc/rp/fedname/redirect/*

Use the pdadmin command, define the nobody, anyauth, and unauth ACLs. Note the WebSEAL user should be used for default-webseald/isam-op.
acl create fedname-nobody acl modify fedname-nobody set user default-webseald/hostname TcmdbsvaBRl acl modify fedname-nobody set user sec_master TcmdbsvaBRrxl acl modify fedname-nobody set group iv-admin TcmdbsvaBRrxl acl modify fedname-nobody set group webseal-servers Tgmdbsrxl acl modify fedname-nobody set any-other T acl modify fedname-nobody set unauthenticated T acl create fedname-anyauth acl modify fedname-anyauth set user default-webseald/hostname TcmdbsvaBRl acl modify fedname-anyauth set user sec_master TcmdbsvaBRrxl acl modify fedname-anyauth set group iv-admin TcmdbsvaBRrxl acl modify fedname-anyauth set group webseal-servers Tgmdbsrxl acl modify fedname-anyauth set any-other Tr acl modify fedname-anyauth set unauthenticated T acl create fedname-unauth acl modify fedname-unauth set user default-webseald/hostname TcmdbsvaBRl acl modify fedname-unauth set user sec_master TcmdbsvaBRrxl acl modify fedname-unauth set group iv-admin TcmdbsvaBRrxl acl modify fedname-unauth set group webseal-servers Tgmdbsrxl acl modify fedname-unauth set any-other Tr acl modify fedname-unauth set unauthenticated Tr

Use the pdadmin command, create the ACLs on the policy server, and attach them to the relevant endpoints.

SAML 2.0

fedname-nobody: /WebSEAL/hostname-webseal/isam fedname-unauth: /WebSEAL/hostname-webseal/isam/sps/fedname/saml20/login /WebSEAL/hostname-webseal/isam/sps/fedname/saml20/sloinitial /WebSEAL/hostname-webseal/isam/sps/fedname/saml20/mnids /WebSEAL/hostname-webseal/isam/sps/fedname/saml20/logininitial /WebSEAL/hostname-webseal/isam/sps/fedname/saml20/slo /WebSEAL/hostname-webseal/isam/sps/fedname/saml20/soap fedname-anyauth: /WebSEAL/hostname-webseal/isam/sps/fedname/saml20/mnidsinitial /WebSEAL/hostname-webseal/isam/sps/fedname/saml20/auth /WebSEAL/hostname-webseal/isam/sps/wssoi /WebSEAL/hostname-webseal/isam/sps/auth

Legacy OpenID Connect

fedname-nobody: /WebSEAL/hostname-instance/isam fedname-unauth: /WebSEAL/hostname-instance/isam/sps/static /WebSEAL/hostname-instance/isam/sps/fedname/oidc/auth /WebSEAL/hostname-instance/isam/oidc/scripts /WebSEAL/hostname-instance/isam/oidc/endpoint/amapp-runtime-fedname/token /WebSEAL/hostname-instance/isam/oidc/endpoint/amapp-runtime-fedname/introspect /WebSEAL/hostname-instance/isam/oidc/endpoint/amapp-runtime-fedname/authorize (RP Only) /WebSEAL/hostname-instance/isam/sps/oidc/client/fedname (RP Only) /WebSEAL/hostname-instance/isam/oidcclient/redirect fedname-anyauth /WebSEAL/hostname-instance/isam/sps/auth

OpenID Connect Relying Party

fedname-unauth: /WebSEAL/hostname-instance/isam/sps/oidc/rp/fedname/kickoff /WebSEAL/hostname-instance/isam/sps/oidc/rp/fedname/redirect

Use the pdamin command, add the HTTP-Tag-Value attribute to the /isam junction object to propagate the user_session_id to the federation runtime:

If force-tag-value-prefix = yes:
object modify /WebSEAL/hostname-default/isam set attribute HTTP-Tag-Value user_session_id=USER-SESSION-ID

If force-tag-value-prefix = no:
object modify /WebSEAL/hostname-default/isam set attribute HTTP-Tag-Value tagvalue_user_session_id=USER-SESSION-ID

Parent topic: Federation configuration