Topic
9 replies Latest Post - ‏2013-08-14T00:05:57Z by AparnaByra
SystemAdmin
SystemAdmin
1193 Posts
ACCEPTED ANSWER

Pinned topic Issue with RMC-generated websites, CA Siteminder and IE

‏2012-11-27T20:58:41Z |
We use CA's Siteminder for user authentication and are having an issue accessing links with Internet Explorer and RMC-generated websites because of the hashtags. The SiteMinder Web Agent is a web server plug-in which intercepts the http(s):\\URL\URI that is sent to the web server. The URI that is being based to the Siteminder agent does not contain anything past the hashtag.

Example: https://companyurl/#plug-in/folder1/folder2/somehtmlpage.html

The following is being passed as the URI in IE: https://companyurl/
It's not passing the rest of the path '#plug-in/folder1/folder2/somepage.html'.

Can anyone help with this issue?

Also, are RMC-generated sites certified under any other authentication tools?
Updated on 2012-12-11T21:46:15Z at 2012-12-11T21:46:15Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    1193 Posts
    ACCEPTED ANSWER

    Re: Issue with RMC-generated websites, CA Siteminder and IE

    ‏2012-11-27T21:40:09Z  in response to SystemAdmin
    We ran into the exact same issue when our enterprise moved to Active Directory Federation Services to provide Single Sign-On access. We are using Integrated Windows Authentication as an alternative on the sites that host our RMC-published content. For us, it was not an issue to go with IWA because most of our users are already authenticated to the appropriate domain as part of log-in and so generally get single sign-on benefits. When they are not, they are challenged for credentials with the standard IWA dialog.
    Prior to our enterprise going with ADFS, we used ClearTrust for single sign-on functionality and saw the same issue with its default forms-based option. ClearTrust had a formless option that allowed the # to survive the authentication trip so we used that for our sites.

    Hope this helps,

    Tom
    • SystemAdmin
      SystemAdmin
      1193 Posts
      ACCEPTED ANSWER

      Re: Issue with RMC-generated websites, CA Siteminder and IE

      ‏2012-11-29T19:45:23Z  in response to SystemAdmin
      1. RMC generated web sites have not been tested under SiteMinder, and there are various web authentication systems being used by different organizations so we could not possibly to verify them one by one.
      2. This is more an issue with SiteMInder. Please check with that vendor to see if their product can be configured to allow the hashtag. As Tom pointed out, another product ClearTrust does have a way to allow that.
      3. At this time, there is no quick fix from RMC development to remove the hashtag in the URLs. That would involve rearchirecturing the entire RMC web sites, and is a long term endeavor.

      Thanks much.
      Bing.
      • SystemAdmin
        SystemAdmin
        1193 Posts
        ACCEPTED ANSWER

        Re: Issue with RMC-generated websites, CA Siteminder and IE

        ‏2012-11-29T21:55:34Z  in response to SystemAdmin
        Thank you for replying. I have spoken to CA, the SiteMinder vendor, and our internal architects and we've found that Internet Explorer is stripping out the hashtag and everything after it when it's redirected to the authentication server. SiteMinder isn't even getting the full URL from IE. In regards to the formless option that allowed this to work with Clearcase, we do not have that option for authentication. Any other ideas from the development team?
        • SystemAdmin
          SystemAdmin
          1193 Posts
          ACCEPTED ANSWER

          Re: Issue with RMC-generated websites, CA Siteminder and IE

          ‏2012-11-29T22:56:57Z  in response to SystemAdmin
          Hi

          1. Unfortunately we do not use neither SiteMinder nor ClearTrust (which is mentioned by Tom).

          2. We are not convinced at the statement that IE is striping the hasktag. It only happens when you integrate with SiteMInder, right? Without SiteMinder, it works correctly. So the SiteMinder vendor is still the right party to investigate it at this time. SiteMider inserts a plug-in on the web server, and that plug-in stays in the middle to parse the URLs for security checks and authtication data.

          Hope this helps.

          Thanks very much.
          Bing.
          • SystemAdmin
            SystemAdmin
            1193 Posts
            ACCEPTED ANSWER

            Re: Issue with RMC-generated websites, CA Siteminder and IE

            ‏2012-11-30T13:32:05Z  in response to SystemAdmin
            1. Which authentication tools have been tested by IBM for RMC-sites?

            2. The sites work fine with IE alone but when there is a redirect to our authentication server, the issue occurs. Siteminder accepts what the broswer sends but the browser, IE in this case, is removing the # onwards on redirect. There is a detailed explanation on this page: http://blogs.msdn.com/b/ieinternals/archive/2011/05/17/url-fragments-and-redirects-anchor-hash-missing.aspx

            There is an update that this may be resolved with IE 10 which I am testing now.
            • SystemAdmin
              SystemAdmin
              1193 Posts
              ACCEPTED ANSWER

              Re: Issue with RMC-generated websites, CA Siteminder and IE

              ‏2012-11-30T18:11:26Z  in response to SystemAdmin
              RMC generated web sites are simply static web sites with JavaScript. We don't require any specific authentication to access static web pages nor do we care, and we just test the basic HTTP authentication, any commercial 3rd party authentication system should be compatible with it.

              All commercial 3rd party single single-on authentication systems are add-ons to the existing web servers, and they should be transpant to whatever working web sites you have without them being installed, and they usually install components that do URL manipulation and redirects. You have to work with those vendors unless it can be proven that RMC web site URLs do not work under no authentication or under basic HTTP authentication.

              I'm not following why IE does not strip # onwards without SiteMInder, but with it, it does. Is there no redirect involved when no SiteMinder is intgerated in your system?

              Not sure what web server you use, and I suppose you use IIS. A good test is to set up an Apache server to see if it behaves differently from IIS.

              Thanks very much.
              Bing.
              • SystemAdmin
                SystemAdmin
                1193 Posts
                ACCEPTED ANSWER

                Re: Issue with RMC-generated websites, CA Siteminder and IE

                ‏2012-12-04T15:06:57Z  in response to SystemAdmin
                Take authentication out of the picture completely, IE strips the URL fragment (# and anything afterwards) when any webpage is redirected. This is supposedly resolved with IE10 but the RMC sites do not work with IE 10. Is there a timeframe with IE 10 will be supported?
                • SystemAdmin
                  SystemAdmin
                  1193 Posts
                  ACCEPTED ANSWER

                  Re: Issue with RMC-generated websites, CA Siteminder and IE

                  ‏2012-12-11T21:46:15Z  in response to SystemAdmin
                  Ok, so you are not accessing the RMC generated web sites directly, but using some sort of redirection, right? I'm not quite following your deployment architecture as we have a lot of custmoers who have been using IEs for so many years. Your situation is still new to us. Could you please provide some more details how exactly the web sites are deployed and accessed?

                  As for IE 10 support, there is no plan yet for RMC. I'd speculate that we'll eventaully support it, but there is no timeline at this point.

                  Thanks very much.
                  Bing.
                  • AparnaByra
                    AparnaByra
                    1 Post
                    ACCEPTED ANSWER

                    Re: Issue with RMC-generated websites, CA Siteminder and IE

                    ‏2013-08-14T00:05:57Z  in response to SystemAdmin

                    Hello All,

                    We have a URL which has '#' in the content which is SSO enabled. When we hit the complete URL the '#' gets stripped & the content after # is removed.

                    In the above it is mentioned with IE10 this could be resolved, but with IE10/Chrome it is still the same. The same URL will work fine if it not SSO enabled.

                    Please suggest what needs to be looked from Siteminder Web Agent policies (if any) or what Plugin needs to be installed.