Thanks, i've managed to do what I wanted wiht following configuration changes:
[session]
shared-domain-cookie = yes
[session-cookie-domains]
domain = <root-domain>
[acnt-mgt]
http-rsp-header = x-frame-options:TEXT{DENY}
http-rsp-header = content-security-policy:TEXT{default-src 'self'; frame-ancestors 'self'; form-action 'self';}
http-rsp-header = x-content-type-options:TEXT{nosniff}
http-rsp-header = x-xss-protection:TEXT{1}
[acnt-mgt:{virtual-junction-host-label}]
enable-local-response-redirect = yes
[local-response-redirect:{virtual-junction-host-label}]
local-response-redirect-uri = [login] https://<webseal>/sps/<FED-NAME>/saml20/logininitial?RequestBinding=HTTPPost&PartnerId=<ENTRA-STS-URL>/&NameIdFormat=Unspecified&AllowCreate=false&Target=<virtual-junction-url>
Different story was, that my federation didnt work at all due to some problems with connection to runtime (ssl handshake failure).
I hope what i did makes sense in general.
------------------------------
Marek Kembrowski
------------------------------
Original Message:
Sent: Tue December 16, 2025 02:50 AM
From: Tom Bosmans
Subject: SAML authentication on virtual junction
Hi Marek,
you need to tell your webseal reverse proxy what to do when protected resources are requested. So 1 option is to use the local-response-redirect mechanism.
You can configure it specifically for your virtual host junction, or for the complete reverse proxy instance (like below).
[acnt-mgt]enable-local-response-redirect = yes[local-response-redirect]local-response-redirect-uri = <your logininitial url>
------------------------------
Tom Bosmans
------------------------------