Symantec Access Management

 View Only
  • 1.  Yubikey integration with CA SSO or CA AA

    Posted Jul 05, 2018 08:46 AM

    Team,

     

    We have a requirement to integrate yubikey based authentication in CA SSO or CA AA. I am aware that CA SSO or CA AA doesn't provide OOTB integration for the same, therefore i am looking for possible alternatives for integrating yubikey with CA SSO or CA AA.

     

    Any pointers is appreciated.

     

    Thanks,

    Shivam



  • 2.  Re: Yubikey integration with CA SSO or CA AA

    Broadcom Employee
    Posted Jul 05, 2018 04:01 PM

    Hi Shivam

    YubiKey is a piv card right?

    You are using it with x509 cert auth, right?

    Best Regards



  • 3.  Re: Yubikey integration with CA SSO or CA AA

    Posted Jul 05, 2018 06:51 PM

    Terry, yes. Yubikey is a piv card.

    I am not sure how to enable the integration via x509 cert, but from what i have explored on integration of yubikey with CA is that we have to write a custom authentication module to achieve it. 

     

    I need to know if CA SSO or CA AA OOTB supports it. If not, how can i achieve it. I would be grateful if you can provide any pointers. 

     

    Thanks,

    Shivam



  • 4.  Re: Yubikey integration with CA SSO or CA AA

    Broadcom Employee
    Posted Jul 06, 2018 10:18 AM

    If it is not listed in the CA support matrix, then its safe to say CA has not tested it, and therefore it is not certified.  Support would be best efforts.

    https://support.ca.com/us/product-content/recommended-reading/technical-document-index/ca-siteminder-informational-documentation-index.html#PSM

     

    It is possible our partners have tested it and for that you can check the numerous runbooks listed:

     

    https://support.ca.com/us/product-content/recommended-reading/product-related-technical-information/ca-single-sign-on-ca-secure-cloud-security-saas-validation-program-runbook-library.html



  • 5.  Re: Yubikey integration with CA SSO or CA AA

    Broadcom Employee
    Posted Jul 06, 2018 01:30 PM

    Shivam, Have you looked at this?  Would this help?

    Information Card Authentication Schemes - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation 

    - Regards. Vijay



  • 6.  Re: Yubikey integration with CA SSO or CA AA

    Posted Jul 06, 2018 03:05 PM

    If it truly is a PIV certificate, and if it appears as a smartcard to the host OS (even though it is in a Yubikey4 form factor), you could potentially use the X.509 Advanced Auth Scheme from Global Development. This is what we use for standard PIV auth against CA SSO. This auth scheme lets you pull custom attributes out of the SAN of the piv card. For example we parse the FASC-N to map to an identity.



  • 7.  RE: Yubikey integration with CA SSO or CA AA

    Broadcom Employee
    Posted Feb 08, 2024 07:13 AM

    Hi Shivam,

    if you upgrade to Siteminder 12.8 sp8 you can configure WebAuthn authentication scheme, this will allow to use a FIDO 2.0 compliant key such as Yubikey.


    rgds