Layer7 Access Management

Expand all | Collapse all

How to implement Two Factor auth using siteminder with one factor as presistent token.

Jump to Best Answer
  • 1.  How to implement Two Factor auth using siteminder with one factor as presistent token.

    Posted 09-06-2016 11:30 PM

    We are exploring the TWO factor authentication solution with Siteminder functionality. Here is the complete user experience we are trying to setup through Siteminder authentication scheme (x.509 Certificate with Basic Form).

    1F = 1st Factor = x.509 Certificate (Have Factor)

    2F = 2nd Factor = SSO Credentials (Known Factor: User ID and Password through LDAP or AD)

    User Experience:

    1) Siteminder should challenge both factors at first time whenever user try to access above two factor protected resources. As a first step user should get authenticated using 1F(x.509 base) AND then user will authenticate using 2F (form base Credentials)

    2) Once user get authenticate successfully, Siteminder should issue the following two tokens:

    1Token = SM1 = Valid for 15 mins (Session Token)

    2Token = SM2 = Valid for 10 days (Persistent Token)

    3) So for any future subsequent requests, user should only be get challenged for 1st factor or authenticated seamlessly until 2Token get expired (SM2 is valid for 10 days).

    Appreciate if someone highlight or share the solution on how to achieve this functionality through Siteminder.



  • 2.  Re: How to implement Two Factor auth using siteminder with one factor as presistent token.
    Best Answer

    Posted 09-08-2016 06:42 AM

    Hi  mkorat1717 

     

    • Siteminder does have the two factor authentication as per the cert + UN/PW.

     

    • Not quite sure what you intend about known factor, but that can be directory attribute and custom auth scheme.

     

    • Siteminder then issues SMSESSION cookie as session cookie.

     

    • It does not (natively) have the ability to issue another (persistent) token 

    • Or to use that 2nd token as a shortcut to login process, only requiring the correct cert until the 2nd token expires. 

     

    But in SM you can craft your own custom auth scheme, and auth pages.  What you are after is "probably" possible. In previous life I've helped craft a whole bunch of different schemes, some quite custom, and I suspect you may be able to do what you want - but would need a bit of work.    

     

    At this point you would want to spend a few days trying to set it up and see what road blocks you hit, and to be sure it was possible.   From a support perspective, we'd recommend speaking to CA Services, it you did not have the custom SDK expertise within your organisation for that sort of work.

     

     

    Cheers - Mark



  • 3.  Re: How to implement Two Factor auth using siteminder with one factor as presistent token.

    Posted 09-12-2016 12:50 PM

    Thanks and appreciate your response on my query; we will look in details and in case required then will engage with support team.