Policy Agent, HTTPS->HTTP load balancer and notification url
I have the following setup.
1. Policy Agent 2.2 for Sun WebServer 6.1 sitting behind a HTTP load Balancer. Configured for HTTP protocol
2. The above HTTP load balancer is sitting being a HTTPS load balancer, performing HTTPS -> HTTP protocol shift.
3. Access Manager 7.0sp5 configured for HTTP protocol. Also SAMLv2 plugin enabled.
4. DAUI installed on Policy Agent Server, and notenforced configured to allow access.
User comes to url https://selfservice.nirving.com/protectedResource/
and gets redirected to https://selfservice.nirving.com/distAuth/UI/Login?goto=http://selfservice.nirving.com/protectedResource/
Notice that because the request now contains http://selfservice.nirving.com/protectedResource/
instead of https://selfservice.nirving.com/protectedResource/
This was fixed by changing the following lines in AMAgent.properties
com.sun.am.policy.agents.config.agenturi.prefix = https://selfservice.staging.telecom.co.nz/amagent
com.sun.am.policy.agents.config.override_protocol =true
so now we get https://selfservice.nirving.com/distAuth/UI/Login?goto=https://selfservice.nirving.com/protectedResource/
However when I log out, via SAMLv2 plugin idp sso logout, it will kill the session in Access Manager and redirect back to Policy Agent Server but the session is still alive there. The reason is that the Notification Request from Access Manager is being rewritten before it is confirmed to be the Notfication URL
com.sun.am.notification.url = http://policyagent.nirving.com:8000/amagent/UpdateAgentCacheServlet?shortcircuit=false
What it checks is https://policyagent.nirving.com/amagent/UpdateAgentCacheServlet?shortcircuit=false
The only way I can get this to work is by adding an entry to the notenforced list so that the rewritten Notification Request is accessible. Any ideas on what I am doing wrong?
