We have a requirement to integrate yubikey based authentication in CA SSO or CA AA. I am aware that CA SSO or CA AA doesn't provide OOTB integration for the same, therefore i am looking for possible alternatives for integrating yubikey with CA SSO or CA AA.
Any pointers is appreciated.
YubiKey is a piv card right?
You are using it with x509 cert auth, right?
Terry, yes. Yubikey is a piv card.
I am not sure how to enable the integration via x509 cert, but from what i have explored on integration of yubikey with CA is that we have to write a custom authentication module to achieve it.
I need to know if CA SSO or CA AA OOTB supports it. If not, how can i achieve it. I would be grateful if you can provide any pointers.
If it is not listed in the CA support matrix, then its safe to say CA has not tested it, and therefore it is not certified. Support would be best efforts.
It is possible our partners have tested it and for that you can check the numerous runbooks listed:
Shivam, Have you looked at this? Would this help?
Information Card Authentication Schemes - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation
- Regards. Vijay
If it truly is a PIV certificate, and if it appears as a smartcard to the host OS (even though it is in a Yubikey4 form factor), you could potentially use the X.509 Advanced Auth Scheme from Global Development. This is what we use for standard PIV auth against CA SSO. This auth scheme lets you pull custom attributes out of the SAN of the piv card. For example we parse the FASC-N to map to an identity.
if you upgrade to Siteminder 12.8 sp8 you can configure WebAuthn authentication scheme, this will allow to use a FIDO 2.0 compliant key such as Yubikey.