We are in the process of implementing a system where post authentication user is verified with OTP for each new session. We want to restrict user access to application (except for OTP verification page) till SiteMinder gets confirmation of OTP verification from application. Please note OTP generation and validation are handled by application.
We know SiteMinder does not intercept any POST data from the application except the one directly posted to .fcc files (login.fcc/smpwservices.fcc etc) fromUjwol on the discussionPass form variable from jsp to Siteminder.
We want to explore possible OOTB SiteMinder solution that can be implemented where application can provide some trigger based on which SiteMinder provides access to resources. This access should be valid for single session and should be revoked once the session ends.
If I understand this currently, what you are looking is actually a 2FA (Two factor authentication ) with the 1st factor being FORM (or any other OOTB authentication provided by CA SSO) and 2nd factor being the OTP provided by 3rd party APP.
However, as your OTP authentication is actually done by a third party product, you will have to utilise a custom authentication scheme for this.
Few references :
Multi authentication schemes on a realm (or within a scheme)
How to implement Two Factor auth using siteminder with one factor as presistent token.
One Time Password in Siteminder
Ujwol's Single Sign-On Blog
Thank you for the reply. we are trying to explore the option where post OTP verification application sets custom session variable by calling setSessionVariables() API.Which then can be retrieved in domain by setting Variable in Domain->Variable.We can use this variable in Domain->policy->expression to set Authorization rules.
This would help us easily manage session for the user and we dont have to worry about cleanup as all session variables are deleted when session ends.
Please let me know if this approach would work in our case.
https://support.ca.com/cadocs/0/CA%20SiteMinder%20r12%20SP2-ENU/Bookshelf_Files/PDF/siteminder_java_dev_enu.pdf Page 46: How Information Is Bound to a Session
SessionVariableContext (CA SiteMinder SDK r12.52sp1)
As discussed the other day, the setSessionVariables() API can only be called from within the custom authentication scheme, it can't be called from your application, so this approach may not work for you.