Content Management and Capture

 View Only
  • 1.  IBM Content Navigator and ping page under SSO configuration

    Posted Tue June 29, 2021 09:43 AM
    Hello all,

    We are currently installing a new FileNet Content Manager platform and we are using IBM Content Navigator with Single Sign-On. Single Sign-On is customized via a Trust Association Interceptor designed for using Central Authentication Services.

    We have a farm of ICN nodes behind a virtual IP address managed by Netscaler load balancer.
    We configured load balancer in order to check /navigator/ping.jsp and control HTTP code from response to 200 and check term "pingPage" in HTTP response.

    But we have currently a problem with these configuration as our load balancer sees ICN nodes as down.
    It seems that /navigator/ping.jsp response is a redirection to authentication form provided by Central Authentication Service.

    Our question is so the following : How can we configure IBM Content Navigator application in order to bypass SSO when using resource /navigator/ping.jsp ?
    Our goal is too allow load balancer to access without authenticating to a ping page in order to be sure that ICN node is available for service.

    Or is there an alternative to the ping page without SSO protection ? I asked for IBM support which sent me to url navigator/jaxrs/getDesktop which is not secured but this page weighs 270,90 ko (and can grow) which is a lot for a keep alive page called every 5 seconds.

    Thanks for your help.

    Regards,
    Florian Kiebel

    ------------------------------
    Florian KIEBEL
    Practice Leader
    Amexio
    ------------------------------


  • 2.  RE: IBM Content Navigator and ping page under SSO configuration

    Posted Fri July 02, 2021 09:31 AM
    Edited by DAVID Jenness Sun July 04, 2021 08:52 AM
    Hello Florian,

    There is another endpoint, navigator/jaxrs/pluginsInfo, that doesn’t require authentication which you might be able to use but please note that all endpoints under navigator/jaxrs/ are private and, therefore, subject to be changed.

    That said, we’re planning to add a lightweight public endpoint you can use to simply check if the system is up and running without any other info which you might be able to use when it’s available.

    Thank you,

    ------------------------------
    ANDY Choi
    ------------------------------



  • 3.  RE: IBM Content Navigator and ping page under SSO configuration

    Posted Mon July 05, 2021 04:33 AM
    Thank you Andy,

    I agree the url you provided, is much lighter than the the other one.
    We will use it.

    I agree with your last statement, a very lightweight public endpoint saying "ICN is up"  is clearly sufficient for load balancer material.

    Thank you again for your help

    Regards,

    ------------------------------
    Florian KIEBEL
    Practice Leader
    Amexio
    ------------------------------



  • 4.  RE: IBM Content Navigator and ping page under SSO configuration

    Posted Tue July 13, 2021 12:03 PM
    Hello all,

    Well, finally, it seems that both endpoints (jaxrs/getDesktop and jaxrs/pluginsInfo) are both covered by our SSO. I was wrong in my last statement.
    When I tested both statement, I saw that CAS token is generated.

    Perhaps it is caused by the version, we currently run :
    Version : 3.0.7
    Génération : icn307.003.175

    Does anyone have another idea on this topic ?

    Regards,
    Florian Kiebel


    ------------------------------
    Florian KIEBEL
    Practice Leader
    Amexio
    ------------------------------



  • 5.  RE: IBM Content Navigator and ping page under SSO configuration

    Posted Wed July 21, 2021 03:24 PM

    Hi Florian

    In your SSO configuration do you have the ability to exempt certain endpoints from SSO?

    In a saml trust interceptor configuration you can do something like this:

    sso_1.sp.filter = request-url^=navigator;request-url!=error.jsp;remote-address!=111.22.333.444

    The "!=" stops it from going the SSO route



    ------------------------------
    Chuck Hauble
    Senior IT Engineer
    Hennepin County
    Minneapolis MN
    ------------------------------



  • 6.  RE: IBM Content Navigator and ping page under SSO configuration

    InnerCircle
    Posted Fri March 04, 2022 09:14 AM
    Hi Chuck,

    what is !=111.22.333.444?
    are we trying to stop ping server call redirecting to SSO NAM provider?
    is there a way to disable ping server call with ICN 3.0.7 version without upgrading product?
    We are facing the issue of getting timed out frequently with ICM case manager  in SSO environment and trying to find out a solution to disbale ping server service call without actually disabling the SSO.

    Not sure even if PING Server service call causing this time out or not but it sounds ping service call is the root cause according to IBM PMR
    Appreciate your time!!!

    ------------------------------
    Narsimha Naidu
    ------------------------------



  • 7.  RE: IBM Content Navigator and ping page under SSO configuration

    Posted Fri March 04, 2022 09:36 AM
    it's just a made up address. I was trying to help Florian work around his problem.

    ------------------------------
    Chuck Hauble
    Minneapolis MN
    ------------------------------



  • 8.  RE: IBM Content Navigator and ping page under SSO configuration

    InnerCircle
    Posted Fri March 04, 2022 05:31 PM
    Hi Chuck,

    to disable the ping server call going to SSO provider  can i use below line?

    sso_1.sp.filter = request-url^=navigator;request-url!= https://xxxxxx/navigator/jaxrs/pingServer

    appreciate your help

    ------------------------------
    Narsimha Naidu
    ------------------------------