Hi Everyone,
I have configured RSA Access Manager to protect two URLs. The first one works the second one does not. I have tried to configure both in exactly the same way.
My authentication flows through a custom login dialog. When I go to the first URL I am prompted for a user name and password by my custom login dialog. If I provide correct credentials I can see the content. That is, the Apache access_log shows http code 200 for all the artifacts needed to display the page.
When I go to the second URL it begins well. I'm prompted for user id and password in my custom login dialog. When I provide the correct credentials, alas, I see a basic login from Firefox:
Authentication Required - Mozilla Firefox
http://mywebsite.com is requesting your user name and password. The site says: "CT"
The access_log shows a 401 code. The headers sent to Firefox show WWW-Authenticate: Basic realm="CT"
The URL that works is a simple website (actually the content of the RSA developer's guide). The URL that does not work is hosted in WebLogic. Apache is running the WebLogic proxy that makes these resources appear to local to Apache.
How can I configure Access Manager to suppress this basic dialog (i.e. stop sending WWW-Authenticate: Basic header)? Please note: If I answer the basic dialog I get another one with a realm reference of "weblogic". If I answer that, Firefox displays: Error 401--Unauthorized
Kind regards. Please stay safe.
-Randy
The header "CT_REMOTE_USER" (or the deprecated version "CT-REMOTE-USER" Note1) is a custom user header that is not used directly by RSA Access Manager in any way. It is used by legacy applications for SSO.
This fits with your description of the problem. It sounds like your custom application was looking for a specific header to pass the SSO user. Without this header your custom application was not identifying this as an authenticated user and the application (Weblogic) was prompting for additional authentication. RSA Access Manager was not directly configured to cause the authentication challenge.
This is not a problem with the RSA Access Manger agent, but a configuration requirement specific for your custom application.
Note1 The naming of this header is completely arbitrary but historically (for no real good reason) the name used by legacy third party integrations was originally CT_REMOTE_USER. There are problems with this name for some web servers as the underscore character is converted or not preserved in some use cases. You can use any name and we recommend avoiding underscore.