Planning to Add an Application Using HTTP Federation Proxy

Before you configure a connection to a web application using HTTP Federation (HFED) Proxy, you must collect required information and make some planning decisions. After you start the Add Custom Connection wizard, you must enter all required settings to save the configuration. You can modify the settings later in My Applications.

Required Information

To track this information and to ensure that you have selected the required information, see HTTP Federation Proxy Planning Worksheet.
  • Obtain valid user credentials for the application so you can sign into the application home page. Examples: username, password, employee ID, date of birth.
  • Gather the following application URLs:
    • Logon page – The URL of the web page that contains the sign-in form.

      Go to the main page of the application, click Log in or Sign in, and copy the URL from the browser. For example,, where is the application hostname.

    • Home page – The URL of the landing page after signing in. For example:

      Record any other hostnames that are part of the application such as or

  • Record what happens when sign-in fails. The identity router uses this information to detect whether an attempt to sign into an application has succeeded or failed.

    Go to the application sign-in page, intentionally enter the wrong credentials, and note one of the following failure indicators.

    Indicator Example
    VISIBLE_TEXT An error message that begins with Invalid credentials
    HTTP_STATUS An HTTP status code that matches 404
    URL A URL that contains Auth Failed
  • Record the hostname of the proxy web server for the application. The proxy hostname must be a valid alias in the Domain Name System (DNS) database that points to the portal hostname in the identity router, and it must be unique across all applications. For example:, where is the real host name.
  • Record the port number the application uses, if different from the default port. The default HTTP port is 80, and the default HTTPS port is 443.
  • Record the portal URL, which is the URL for the home page or destination page of the application when accessing the application through the identity router. This URL consists of the following:
    • Protected domain name (PDN) for the identity router.
    • Protected hostname for each real hostname that the application uses. The protected hostname for the application must be within the PDN.
  • Decide if users will be allowed to set and change their own credentials in the application portal.
    • If yes, users only need to remember a single password for the application portal. It can also save time for administrators when users can manage credentials for themselves.
    • If no, then you must populate user keychains for each HFED application, and users cannot set or change their own credentials. In this case, you have greater control over user credentials, for example, if there is a security concern about preventing unauthorized access to the application.

Portal URL Examples

Assume that the hostname for the identity router, where users go to access the single sign-on (SSO) portal, is, where is the PDN. If the real hostname is, examples of protected hostnames are as follows:
  • <NameWithNoDot>
For users to access applications using SSO, protected hostnames must be configured as DNS canonical names (CNAMEs), or aliases to the identity router. Examples of CNAME (DNS aliases) are as follows:
  • is a CNAME to
  • is a CNAME to

Using a wildcard CNAME you can quickly add HFED application-protected hostnames without creating individual DNS entries. For example, * is a CNAME to