WebAuth Redirect URL Duplication

Similar Messages

• ISE 1.2 CWA Redirect URL

  Hi,
  Just wondered was there anyway to manipulate what webauth URL is sent to a client in the redirect string. Currently my ISE sends clients the internal machine name, I was wondering if there was anyway I can change this.
  I know on local webauth on the WLC you can set external URL's, does this feature exist in the ISE?
  TIA
  -G
  Sent from Cisco Technical Support iPad App

  Users Are Not Appropriately Redirected to URL
  Symptoms or Issue
  Administrator   receives one or more "Bad URL" error messages from Cisco ISE.
  Conditions
  This   scenario applies to 802.1X authentication as well as guest access sessions.
  Click   the magnifying glass icon in Authentications to launch the Authentication   Details. The authentication report should have the redirect URL in the RADIUS   response section as well as the session event section (which displays the   switch syslog messages).
  Possible   Causes
  Redirection   URL is entered incorrectly with invalid syntax or a missing path component.
  Resolution
  Verify   that the redirection URL specified in Cisco ISE via Cisco-av pair "URL   Redirect" is correct per the following options:
  •CWA   Redirection URL:   https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cwa
  •802.1X   Redirection URL:   url-redirect=https://ip:8443/guestportal/gateway?sessionId=SessionIdValue&action=cpp

• CT5760 - virtual-host in parameter-map not used in webauth redirect

  Hi all.
  I'll try posting my issue here before I post a TAC on this:
  Cisco CT5760 wireless controller running IOS-XE version 3.6.0.
  This issue is related to web authentication on an SSID with external web portal. It seems that the statement "virtual-host" in "parameter-map type webauth global" is not used as intended. I'll try to explain:
  When a user connects to an SSID with external web authentication enabled and the user opens a web browser, the user will get redirected to the external web portal for authentication. In this redirect URL we see the parameter "switch_url=http://1.2.3.4/login.html". The IP address 1.2.3.4 is, in this example, our virtual IP. But we have also configured "virtual-host" to be webauth.example.com. And in my opinion the "switch_url" parameter should be "switch_url=http://webauth.example.com/login.html". This is how it works on our old Cisco WiSM1 implementation.
  The reason why this is a problem is that the clients web browser will not accept the certificate installed on "http://1.2.3.4" because it is not issued with that IP address, only the hostname webauth.example.com. I know that it is possible to get certificates issued with an IP address (as long as it's not an RFC1918 IP address), but rumors say that many Certificate Authorities will stop issuing these soon, even with "real IPs". Therefore it is important that the redirect URL gets corrected.
  Does anyone disagree with me that this is a bug?

  Hi and thank you for your response.
  I feel that I need to clarify a few things. Here is my parameter-map config (a bit edited):
  parameter-map type webauth global
  virtual-ip ipv4 1.1.1.1 virtual-host webauth.example.com
  intercept-https-enable
  parameter-map type webauth webauth_external
  type webauth
  redirect for-login https://webauth-external.example.com/v2/login.html
  redirect portal ipv4 x.x.x.x
  So the problem here is that a web browser of the client gets the following redirect URL:
  https://webauth-external.example.com/v2/login.html?switch_url=https://1.1.1.1/login.html&redirect=http://www.cnn.com
  Then after a successful login on the external portal, the user gets redirected back to https://1.1.1.1/login.html. Here is the core of my problem. I think that the parameter "switch_url" should be with the name webauth.example.com since I configured it as the "virtual-host". This is the behavior we see with our old Cisco WiSM1.
  When the redirect goes to https://1.1.1.1/login.html the client complains about the certificate, because it is not issued to that IP address but to the hostname.
  I can verify that the client does not complain about this if I manually edit the redirect URL on the client to the following:
  https://webauth-external.example.com/v2/login.html?switch_url=https://webauth.example.com/login.html&redirect=http://www.cnn.com
  Then the redirect after authentication goes to https://webauth.example.com/login.html and the client accepts the certificate and everything is peachy.
  Do you see my problem? And yes, the virtual IP resolves to the name in DNS.

• GRC 10 - SSO via Portal - how to redirect url in notification variables

  Dears,
  I am in the process of designing our GRC 10 machine to be accessed via SSO in the Enterprise Portal. Yet I cannot find any info on what will happen with the URLs that are placed by ARM MSMP workflow in the variables of notifications/approvals.
  I typically would (as in 5.3) expect a redirect URL to be made available as an option.
  As an example: the Firefighter Log notification standard holds a variable pointing the URL to :
  http://GRC10server:GRC10port/sap/bc/webdynpro/sap/grac_ui_spm_log_email?sap-client=001&sap-language=EN&WF_ID=53FB8FEAC9E260D6E10000000AF90C44&APP_TYPE=1
  Yet now with SSO via the portal we also want this URL to go via the portal instead of directly to the GRC machine. How can we achieve that?
  Is there a configuration way to have GRC10server:GRC10port adjusted to the portal address..
  (mind that the WF_ID segment in this url is dynamically generated, so directly sqeezing in a static portal url is not an option)
  Cheers,
  Jim

  Hi Neeraj,
  Thx for your reaction. This unfortunately will not do the job as pasting the URL in the notification template will make it static. The problem is that the URL inserted by default is a dynamically created one which holds a variable pointer to a workflow object id.
  Now i am researching if a custom build portal redirect application will do the job. But there must be others having the same problem if you want the GRC iview in the portal to be the 'one-stop-shop' for your GRC users...
  Cheers,
  Jim

• Web Auth Type: Customized(downloaded) Redirect URL after login not working.

           5508WLC as anchor controller with WLC1 and WLC2 with WCS. I have 2 public ssids set up to go directly to the internet.
  Everything is working as it should.  I downloaded the web auth bundle from Cisco and  will just use a disclaimer page and then if the user clicks on the accept button they will be redirected to our company web page, and then they can get out to the internet.
  I have edited the aup.html and login.html to say what I want it to.  I have 2 different login.html pages and bundle to a .tar file like the documentation says.  I download it via tftp to the controller and it is successful. The disclaimer page opens up when I connect and it looks as it should.  The problem is I cannot seem to get the accept button to work. It redirects to a web page but it is undefined. 
     I must be missing some setting somewhere, but I just can not seem to find it.  Is there any line I need to edit in the login.html files that will redirect the page.    The config on the Web Login Page  Redirect URL after login is http://www.mccg.org which is our home page.
  Any help will be appreciated.  I cannot seem to fine very good documentation, or I am just overlooking something.
  Thanks
  John   

  Your HTML code is wrong. Attach your code if your okay with it and I can check.
  Sent from Cisco Technical Support iPhone App

• When I add an opendocument login token, it wipes out my parameter/prompt response in the Redirect URL

  I am having this issue and I wonder if anyone has any pointers?
  When I send the URL with the single prompt response &lsSPrompt0=1234567 it works fine but I have to login to InfoView.
  So I created a login token .jsp and that took care of the login for InfoView, but it also killed my prompt value.
  The code that I got from another site that does the same thing I WANT to do seems to create a cookie to store the passed prompt value in, then it creates a login token, then it assembles it all in the redirect URL and sends it to the openDocument.jsp.
  The login token works like a champ, but the prompt value (initially passed in to the cookie as "Prompt0") ends up passing from the Redirect URL to the openDocument.jsp with a value of NULL (lsSPrompt0=NULL).
  In my lack of knowledge, I am thinking maybe it has something to do either with how the cookie is being created, how it is being passed, or how/if it is getting stored at the target.  The cookie/token.jsp and the openDocument.jsp are in different folders on the same domain.
  So, I pass this URL:
  http://server:8080/InfoViewApp/token.jsp?&lsSPrompt0=1234567
  The token.jsp that it hits looks like this:
  So, the redirect winds up hitting the target looking like this:
  http://server:8080/OpenDocument/opendoc/openDocument.jsp?token=logonToken&iDocID=45227708&sKind=FullClient&lsSPrompt0=NULL&NAII=N&buttonrefresh=hide&buttonexport=hide
  Obviously, my problem is this:  lsSPrompt0=NULL
  Any pointers or nuggets of wisdom are GREATLY appreciated?
  Also of note, I wasn't sure if I needed to publish this token.jsp as a Webapp to Tomcat.
  I just placed the .jsp file in the folderTomcat5.5/webapps/InfoViewApp (same location as the client who has it working).
  Do I need to publish it?  Is that part of the problem?
  I am a little out of my realm here but trying to learn!
  We are on BOXI R2, Tomcat 5.5, JAVA, and I am having the same behavior on my personal XI 3.0 server too
  Thanks in advance,
  Randy

  I believe it's storing the info in a cookie so that it can be used later.  You don't mention which version of BO you're using, but I've sometimes found that the logon tokens created in 4.x contain special characters and may need to be URL encoded.  Also, I've found that it helps to put the logon token at the end of the URL after any parameters instead of in the middle before the parameters.
  -Dell

• Getting Warning about Redirection url

  Hi,
  we have the the portal application running on the weblogic 11g and upon login, home page of our app is loaded, but I do see the following warning message on the portal server logs. Any idea how we can supress this warning?
  <Warning> <netuix> <BEA-423420> <Redirect is executed in begin or refresh action. Redirect url is https://<servername>.arccorp.com:443/PortalApp/ARCGateway.portal?_nfpb=true&amp;_st=&amp;_pageLabel=ARC_Home&amp;_nfls=false
  Thanks
  sravi

  Hi Sravi,
  I am not sure if this is your situation or not, but hopefully it could be helpful for you.
  It is not supported for a remote pageflow portlet (WSRP producer) to redirect from its pageflow begin or refresh action. Because of this limitation, WebLogic Portal logs a warning when any portlet's pageflow attempts to redirect from either of these two actions.
  It is legal to redirect from these actions if the portlet is not a WSRP producer. If this is the case, Oracle has added a utility method that can be called prior to the redirect which can suppress these warning messages:
  - Class: com.bea.netuix.servlets.controls.content.PageflowLoggingHelper
  - Method: public static void dontLogRedirectWarning(HttpServletRequest req)
  Calling this method from the pageflow's begin or refresh action prior to the redirect will suppress the Netuix redirect warnings.
  Thanks,
  Cris

• No destination URL is defined. Use the followind redirect URL in Transactio

  Hi,
  I am new BSP, I have to display logon screen in my BSP application, i was copied SYSTEM bsp application and tried to run it, but it is throwing error "No destination URL is defined. Use the followind redirect URL in Transaction SICF:  /sap(====)/public/bsp/sap/login/default.htm?sap-url= " . Please let us know what has to be done for the same
  Message was edited by:
          Rams BSP

  Hi Rams,
  see http://help.sap.com/saphelp_47x200/helpdata/en/33/8351f1f3351c41853ea3508cbef0cf/frameset.htm
  and
  http://help.sap.com/saphelp_47x200/helpdata/en/1d/13c73cee4fb55be10000000a114084/frameset.htm
  It sounds like you have not configured the redirect correctly in the ICF.
  Cheers
  Graham

• Multiple redirect URLs for mutliple guest VLANs

  We are trying to implement 2 guest WLANs tunnneled to our DMZ and want to redirect users to 2 different URLs (one for each WLAN) when they click the "Accept" button. We are running 6.0.182 on the DMZ controllers and have a customized web passthrough page currently working for the 1st WLAN.
  It appears that only 1 redirect URL can be configured via the command line (config custom-web redirectUrl), and we haven't had much luck modifying the web page for the 2nd WLAN to redirect correctly. Is this supported? Thanks

  Since you are on version 6, the config guide mentions the following in Chapter 10 (and talks about how to do a "global override" per WLAN):
  Assigning Login, Login Failure, and Logout Pages per WLAN
  You can display different web authentication login, login failure, and logout pages to users per WLAN.
  This feature enables user-specific web authentication pages to be displayed for a variety of network
  users, such as guest users or employees within different departments of an organization.
  Different login pages are available for all web authentication types (internal, external, and customized).
  However, different login failure and logout pages can be specified only when you choose customized as
  the web authentication type.

• Form Based Authentication Redirect URL

  I'm using form based authentication in standalone OC4J 10.1.3.1. I have set the system property oc4j.formauth.redirect to true to force OC4J to redirect using 302 any successful authentication to j_security_check.
  The problem is that the redirect URL loses any query parameters. Here's the raw HTTP being posted:
  POST http://localhost:8988/manage/j_security_check HTTP/1.1
  Host: mvakoc-pc.peoplesoft.com:8099
  User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1
  Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
  Accept-Language: en-us,en;q=0.5
  Accept-Encoding: gzip,deflate
  Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
  Keep-Alive: 300
  Connection: keep-alive
  Referer: http://mvakoc-pc.peoplesoft.com:8099/manage/target?instanceName=denlcmlx1_entserver_1&targetType=entserver
  Cookie: JSESSIONID=0a8b7ff6231c049914997fdb4ebb93b4854b0956862b; SignOnDefault=18438; e1AppState=
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 62
  X-Forwarded-For: 10.139.127.246
  j_username=username&j_password=password&url=%2Fmanage%2Fhome
  However the response back drops off the query parameters:
  HTTP/1.1 302 Moved Temporarily
  Date: Fri, 05 Jan 2007 21:59:22 GMT
  Server: Oracle Containers for J2EE
  Content-Length: 231
  Connection: Keep-Alive
  Keep-Alive: timeout=15, max=100
  Location: http://mvakoc-pc.peoplesoft.com:8099/manage/target
  <HTML><HEAD><TITLE>Redirect to http://mvakoc-pc.peoplesoft.com:8099/manage/target</TITLE></HEAD><BODY>http://mvakoc-pc.peoplesoft.com:8099/manage/target</BODY></HTML>
  Any workaround?

  It does not appear to be quite the same issue. That bug indicates that everything works fine in a standalone OC4J environment. This would be true with the use case specified as the original URL (/em/console/ias) does not include any query parameters. In my case the original URL contains query parameters so the ultimate redirected URL should also contain those.

• Redirect URL rewriting in WLS8.1 and WLS9.2

  Hi,
  I am looking for help to solve the redirect URL issue for the following configuration:
  A hardware load balancer sits between the web clients and a weblogic cluster (one managed server at this moment, will add more later). The web clients use HTTPS to access the server; the load balancer converts the HTTPS to HTTP and then forwards the request to weblogic cluster.
  The problem I am trying to solve is, when a redirect is sent back to the web client, it should be in HTTPS and use virtual host name, not the actual host name which sends the redirect response.
  I've tried the "frontend host" parameters in the admin console; but could not see any effect. Any help will be greatly appreciated.
  Harry

  Problem solved by configuring the webapp to send relative (instead of absolute, which is the default) redirect URL back to the web client.
  Thanks.

• ISE CWA Redirect URL customization

  Hi,
  Just wanted to know if we can change the redirect url. By default it starts with the hostname of ISE. I will have four PSN nodes and want that url is actually the Load Balancer Url rather than ISE node. Since ISE isintegrated with AD  domain.local so public certificate would not be possible. We are planning to install publecrt cert with differnt domain name likke domain.com. If some one has done it before please let me know
  Thanks
  Aijaz

  Hello,
  I went through your query and have found a link which I think would surely help you to solve your query:-
  http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml

• WLC Web Auth Redirect URL point to an ISE Policy NODE only?

  Hi all,
  I was wondering if the Web Auth Redirect URL configured in the WLC can only point to an ISE Policy Persona Node so the Web Portal feature (see below) in the ISE is only active when the ISE device has that Policy Persona activated.

  Thanks Peter for your clarification regarding the semantic I used and the question I made.
  Curiously, I tested it (configure the WLC Web Auth URL Redirect pointing to an ADM Node) and it did not work until I added the Policy Services persona into that ADM Node. I just wanted to verify that my test was correct because we want to make some changes in our deployment. Let me see if I can open a TAC Case in order to confirm this and add it to this post.

• Portal Logoff redirection URL

  Hi,
  I want to redirect the URL to another page from the default log on page when the user logs off. I know we can change it in ume.logoff.redirect.url and give the desired URL. But the problem is we have two different sites and each sites should return to different screens once the logoff is clicked. So the URL cannot be maintained in this property. We have two mastheads for both this sites.
  I tried to figure it out in the code. The URL to be mentioned is present in logOutComponent which is part of the jar file which comes with masthead. I cant change the desired URL in that component. Where can i change the URL to get the desired result?
  Regards,
  p188071

  Hi <name>,
  I decompiled the "logOutComponent" .class and it containts the following code:
  // Decompiled by DJ v3.6.6.79 Copyright 2004 Atanas Neshkov  Date: 19-1-2008 18:04:06
  // Home Page : http://members.fortunecity.com/neshkov/dj.html  - Check often for new version!
  // Decompiler options: packimports(3)
  // Source File Name:   LogOutComponent.java
  package com.sapportals.portal.navigation;
  import com.sap.security.api.UMFactory;
  import com.sap.security.api.util.IUMParameters;
  import com.sapportals.portal.prt.component.*;
  import com.sapportals.portal.prt.pom.IEvent;
  import com.sapportals.portal.prt.runtime.IPortalRuntimeResources;
  import com.sapportals.portal.prt.runtime.PortalRuntime;
  // Referenced classes of package com.sapportals.portal.navigation:
  //            INavigationGenerator
  public class LogOutComponent extends AbstractPortalComponent
      public LogOutComponent()
      public void doOnNodeReady(IPortalComponentRequest request, IEvent event)
          String externalUrl = UMFactory.getProperties().get("ume.logoff.redirect.url");
          boolean silent = UMFactory.getProperties().getBoolean("ume.logoff.redirect.silent", false);
          if(externalUrl != null && !externalUrl.equals("") && !silent)
              request.redirect(externalUrl);
          } else
              INavigationGenerator navigationService = (INavigationGenerator)PortalRuntime.getRuntimeResources().getService("com.sap.portal.navigation.service.navigation");
              String URL = navigationService.getPortalURL(request, null);
              request.redirect(URL);
      public void doContent(IPortalComponentRequest iportalcomponentrequest, IPortalComponentResponse iportalcomponentresponse)
  As you can see this module just gets the property "ume.logoff.redirect.url", does an adittional check and then gives back this url..
  Not that fancy..
  My suggestion to you would be to edit the portalapp.xml, look for the component "default" and extend it with an additional component property called "MyCustomLogOffURL" for example. To do this just copy the allready excisting "Help URL" property and rename.
  Example:
  <property name="MyCustomLogOffURL" value="http://yourloggofurlforthismasthead.com">
    <property name="plainDescription" value="My Custom Logoff URL" />
    <property name="category" value="Navigation" />
  </property>
  Adding this property here makes you set it seperately for both the masterheads you use, because you can just set it in the Property editor of the PCD
  In addition you now need to modify the "HeaderiView.jsp" a bit to use your custom parameter instead of the "logOutComponent".
  To do that add the following initialisation at the beging of the jsp file:
  final String MY_CUSTOM_LOG_OFF_URL = "MyCustomLogOffURL";
  ....and change the function GetLogoffURL so that it will look like this:
  private String GetLogoffURL(IPortalComponentRequest request)
       String value = (String)request.getNode().getValue(MY_CUSTOM_LOG_OFF_URL);
       return value;
  <h3>PLEASE TAKE NOTICE OF THE FOLLOWING</h3>
  <h5>Never change the SAP component always create a copy and rename it to your own namespace!!!</h5>
  Good Luck,
  Benjamin Houttuin

• Ignoring request not on consumer URL or redirect URL

  Hello,
  I have configured SAML for SSO for the destination site and it works fine for the page configured as Source Site Redirect URI. Attempt to access any other resource in the web application gives an error as : SAMLServletAuthenticationFilter: Ignoring request not on consumer URL or redirect URL.
  Relevant entries in web.xml and weblogic.xml are as below.
  Thanks for your time and help.
  Hiren
  web.xml*_
  <login-config>
            <auth-method>CLIENT-CERT</auth-method>
       </login-config>
  <!-- SAML SSO Start -->
  <security-constraint>
            <web-resource-collection>
                 <web-resource-name>Advisor</web-resource-name>
                 <description>These pages are only accessible by authorized users.</description>
  <url-pattern>*</url-pattern>
  <http-method>GET</http-method>
  <http-method>POST</http-method>
            </web-resource-collection>
            <auth-constraint>
                 <description>These are the roles who have access.</description>
                 <role-name>ssorole</role-name>
            </auth-constraint>
       </security-constraint>
       <security-role>
            <description>These are the roles who have access.</description>
            <role-name>ssorole</role-name>
       </security-role>
  weblogic.xml+_
  <?xml version='1.0' encoding='UTF-8'?>
  <weblogic-web-app xmlns="http://www.bea.com/ns/weblogic/90"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
       <security-role-assignment>
            <role-name>ssorole</role-name>     
            <externally-defined/>
       </security-role-assignment>
       <context-root>Advisor</context-root>
  </weblogic-web-app>

  Hi David,
  I am currently not passing any group information in the SAML Assertion. I haven't tried SAML 2. I found this in one of the FAQs for UCM SSO 'only SAML v1.1 based SSO solution is certified to work with UCM 11.1.1.4'. Using SAML v1.1 if you want to use the groups information you have to configure the 'Enable Virtual users' option in the SAML Destination Site. Also, you need to configure the SAML Authentication Provider along with the SAML Identity Assertion Provider.
  Section 5.7 in the below link will give you some information about it.
  http://docs.oracle.com/cd/E14571_01/web.1111/e13707.pdf
  HTH,
  Shyam