Topic
  • 9 replies
  • Latest Post - ‏2013-08-14T00:05:57Z by AparnaByra
SystemAdmin
SystemAdmin
1193 Posts

Pinned topic Issue with RMC-generated websites, CA Siteminder and IE

‏2012-11-27T20:58:41Z |
We use CA's Siteminder for user authentication and are having an issue accessing links with Internet Explorer and RMC-generated websites because of the hashtags. The SiteMinder Web Agent is a web server plug-in which intercepts the http(s):\\URL\URI that is sent to the web server. The URI that is being based to the Siteminder agent does not contain anything past the hashtag.

Example: https://companyurl/#plug-in/folder1/folder2/somehtmlpage.html

The following is being passed as the URI in IE: https://companyurl/
It's not passing the rest of the path '#plug-in/folder1/folder2/somepage.html'.

Can anyone help with this issue?

Also, are RMC-generated sites certified under any other authentication tools?
Updated on 2012-12-11T21:46:15Z at 2012-12-11T21:46:15Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    1193 Posts

    Re: Issue with RMC-generated websites, CA Siteminder and IE

    ‏2012-11-27T21:40:09Z  
    We ran into the exact same issue when our enterprise moved to Active Directory Federation Services to provide Single Sign-On access. We are using Integrated Windows Authentication as an alternative on the sites that host our RMC-published content. For us, it was not an issue to go with IWA because most of our users are already authenticated to the appropriate domain as part of log-in and so generally get single sign-on benefits. When they are not, they are challenged for credentials with the standard IWA dialog.
    Prior to our enterprise going with ADFS, we used ClearTrust for single sign-on functionality and saw the same issue with its default forms-based option. ClearTrust had a formless option that allowed the # to survive the authentication trip so we used that for our sites.

    Hope this helps,

    Tom
  • SystemAdmin
    SystemAdmin
    1193 Posts

    Re: Issue with RMC-generated websites, CA Siteminder and IE

    ‏2012-11-29T19:45:23Z  
    We ran into the exact same issue when our enterprise moved to Active Directory Federation Services to provide Single Sign-On access. We are using Integrated Windows Authentication as an alternative on the sites that host our RMC-published content. For us, it was not an issue to go with IWA because most of our users are already authenticated to the appropriate domain as part of log-in and so generally get single sign-on benefits. When they are not, they are challenged for credentials with the standard IWA dialog.
    Prior to our enterprise going with ADFS, we used ClearTrust for single sign-on functionality and saw the same issue with its default forms-based option. ClearTrust had a formless option that allowed the # to survive the authentication trip so we used that for our sites.

    Hope this helps,

    Tom
    1. RMC generated web sites have not been tested under SiteMinder, and there are various web authentication systems being used by different organizations so we could not possibly to verify them one by one.
    2. This is more an issue with SiteMInder. Please check with that vendor to see if their product can be configured to allow the hashtag. As Tom pointed out, another product ClearTrust does have a way to allow that.
    3. At this time, there is no quick fix from RMC development to remove the hashtag in the URLs. That would involve rearchirecturing the entire RMC web sites, and is a long term endeavor.

    Thanks much.
    Bing.
  • SystemAdmin
    SystemAdmin
    1193 Posts

    Re: Issue with RMC-generated websites, CA Siteminder and IE

    ‏2012-11-29T21:55:34Z  
    1. RMC generated web sites have not been tested under SiteMinder, and there are various web authentication systems being used by different organizations so we could not possibly to verify them one by one.
    2. This is more an issue with SiteMInder. Please check with that vendor to see if their product can be configured to allow the hashtag. As Tom pointed out, another product ClearTrust does have a way to allow that.
    3. At this time, there is no quick fix from RMC development to remove the hashtag in the URLs. That would involve rearchirecturing the entire RMC web sites, and is a long term endeavor.

    Thanks much.
    Bing.
    Thank you for replying. I have spoken to CA, the SiteMinder vendor, and our internal architects and we've found that Internet Explorer is stripping out the hashtag and everything after it when it's redirected to the authentication server. SiteMinder isn't even getting the full URL from IE. In regards to the formless option that allowed this to work with Clearcase, we do not have that option for authentication. Any other ideas from the development team?
  • SystemAdmin
    SystemAdmin
    1193 Posts

    Re: Issue with RMC-generated websites, CA Siteminder and IE

    ‏2012-11-29T22:56:57Z  
    Thank you for replying. I have spoken to CA, the SiteMinder vendor, and our internal architects and we've found that Internet Explorer is stripping out the hashtag and everything after it when it's redirected to the authentication server. SiteMinder isn't even getting the full URL from IE. In regards to the formless option that allowed this to work with Clearcase, we do not have that option for authentication. Any other ideas from the development team?
    Hi

    1. Unfortunately we do not use neither SiteMinder nor ClearTrust (which is mentioned by Tom).

    2. We are not convinced at the statement that IE is striping the hasktag. It only happens when you integrate with SiteMInder, right? Without SiteMinder, it works correctly. So the SiteMinder vendor is still the right party to investigate it at this time. SiteMider inserts a plug-in on the web server, and that plug-in stays in the middle to parse the URLs for security checks and authtication data.

    Hope this helps.

    Thanks very much.
    Bing.
  • SystemAdmin
    SystemAdmin
    1193 Posts

    Re: Issue with RMC-generated websites, CA Siteminder and IE

    ‏2012-11-30T13:32:05Z  
    Hi

    1. Unfortunately we do not use neither SiteMinder nor ClearTrust (which is mentioned by Tom).

    2. We are not convinced at the statement that IE is striping the hasktag. It only happens when you integrate with SiteMInder, right? Without SiteMinder, it works correctly. So the SiteMinder vendor is still the right party to investigate it at this time. SiteMider inserts a plug-in on the web server, and that plug-in stays in the middle to parse the URLs for security checks and authtication data.

    Hope this helps.

    Thanks very much.
    Bing.
    1. Which authentication tools have been tested by IBM for RMC-sites?

    2. The sites work fine with IE alone but when there is a redirect to our authentication server, the issue occurs. Siteminder accepts what the broswer sends but the browser, IE in this case, is removing the # onwards on redirect. There is a detailed explanation on this page: http://blogs.msdn.com/b/ieinternals/archive/2011/05/17/url-fragments-and-redirects-anchor-hash-missing.aspx

    There is an update that this may be resolved with IE 10 which I am testing now.
  • SystemAdmin
    SystemAdmin
    1193 Posts

    Re: Issue with RMC-generated websites, CA Siteminder and IE

    ‏2012-11-30T18:11:26Z  
    1. Which authentication tools have been tested by IBM for RMC-sites?

    2. The sites work fine with IE alone but when there is a redirect to our authentication server, the issue occurs. Siteminder accepts what the broswer sends but the browser, IE in this case, is removing the # onwards on redirect. There is a detailed explanation on this page: http://blogs.msdn.com/b/ieinternals/archive/2011/05/17/url-fragments-and-redirects-anchor-hash-missing.aspx

    There is an update that this may be resolved with IE 10 which I am testing now.
    RMC generated web sites are simply static web sites with JavaScript. We don't require any specific authentication to access static web pages nor do we care, and we just test the basic HTTP authentication, any commercial 3rd party authentication system should be compatible with it.

    All commercial 3rd party single single-on authentication systems are add-ons to the existing web servers, and they should be transpant to whatever working web sites you have without them being installed, and they usually install components that do URL manipulation and redirects. You have to work with those vendors unless it can be proven that RMC web site URLs do not work under no authentication or under basic HTTP authentication.

    I'm not following why IE does not strip # onwards without SiteMInder, but with it, it does. Is there no redirect involved when no SiteMinder is intgerated in your system?

    Not sure what web server you use, and I suppose you use IIS. A good test is to set up an Apache server to see if it behaves differently from IIS.

    Thanks very much.
    Bing.
  • SystemAdmin
    SystemAdmin
    1193 Posts

    Re: Issue with RMC-generated websites, CA Siteminder and IE

    ‏2012-12-04T15:06:57Z  
    RMC generated web sites are simply static web sites with JavaScript. We don't require any specific authentication to access static web pages nor do we care, and we just test the basic HTTP authentication, any commercial 3rd party authentication system should be compatible with it.

    All commercial 3rd party single single-on authentication systems are add-ons to the existing web servers, and they should be transpant to whatever working web sites you have without them being installed, and they usually install components that do URL manipulation and redirects. You have to work with those vendors unless it can be proven that RMC web site URLs do not work under no authentication or under basic HTTP authentication.

    I'm not following why IE does not strip # onwards without SiteMInder, but with it, it does. Is there no redirect involved when no SiteMinder is intgerated in your system?

    Not sure what web server you use, and I suppose you use IIS. A good test is to set up an Apache server to see if it behaves differently from IIS.

    Thanks very much.
    Bing.
    Take authentication out of the picture completely, IE strips the URL fragment (# and anything afterwards) when any webpage is redirected. This is supposedly resolved with IE10 but the RMC sites do not work with IE 10. Is there a timeframe with IE 10 will be supported?
  • SystemAdmin
    SystemAdmin
    1193 Posts

    Re: Issue with RMC-generated websites, CA Siteminder and IE

    ‏2012-12-11T21:46:15Z  
    Take authentication out of the picture completely, IE strips the URL fragment (# and anything afterwards) when any webpage is redirected. This is supposedly resolved with IE10 but the RMC sites do not work with IE 10. Is there a timeframe with IE 10 will be supported?
    Ok, so you are not accessing the RMC generated web sites directly, but using some sort of redirection, right? I'm not quite following your deployment architecture as we have a lot of custmoers who have been using IEs for so many years. Your situation is still new to us. Could you please provide some more details how exactly the web sites are deployed and accessed?

    As for IE 10 support, there is no plan yet for RMC. I'd speculate that we'll eventaully support it, but there is no timeline at this point.

    Thanks very much.
    Bing.
  • AparnaByra
    AparnaByra
    1 Post

    Re: Issue with RMC-generated websites, CA Siteminder and IE

    ‏2013-08-14T00:05:57Z  
    Ok, so you are not accessing the RMC generated web sites directly, but using some sort of redirection, right? I'm not quite following your deployment architecture as we have a lot of custmoers who have been using IEs for so many years. Your situation is still new to us. Could you please provide some more details how exactly the web sites are deployed and accessed?

    As for IE 10 support, there is no plan yet for RMC. I'd speculate that we'll eventaully support it, but there is no timeline at this point.

    Thanks very much.
    Bing.

    Hello All,

    We have a URL which has '#' in the content which is SSO enabled. When we hit the complete URL the '#' gets stripped & the content after # is removed.

    In the above it is mentioned with IE10 this could be resolved, but with IE10/Chrome it is still the same. The same URL will work fine if it not SSO enabled.

    Please suggest what needs to be looked from Siteminder Web Agent policies (if any) or what Plugin needs to be installed.