Layer7 Access Management

Expand all | Collapse all

SSO Machine Authentication

Jump to Best Answer
  • 1.  SSO Machine Authentication

    Posted 12-07-2017 04:34 AM

    We have a customer use case asking for the ability to identify corporate devices vs. non-corporate devices at the point of authentication to dictate as to whether users can be authorised or not. Corporate devices have a x.509 certificate installed to identify the device.

    Could anyone explain our capabilities regarding certificate authentication (machine authentication)?

    Would we be able to meet such a use case?

     

    Thanks

    Grant



  • 2.  Re: SSO Machine Authentication

    Posted 12-07-2017 09:11 AM

    CA SSO has the ability to authenticate CERT + FORMS. there is an OOB Authentication Scheme. Also there is a GD Module which provides added features which is unavailable in the OOB Authentication Scheme.

     

    The Value from CERT  has to match the username being entered on FORM. If both values + password match user will be authenticate. If both values don't match or password is incorrect user will be not authenticated.

     

    Had a similar requirement and we POC this approach.

     

    The only caveat is that the device cannot be a shared device i.e. it cannot have different CLIENT CERT. If there are multiple CLIENT CERT, when user accesses the protected content on browser, user would be asked to select the intended CLIENT CERT. Thus the user needs to be educated to select the correct CLIENT CERT.

     

     

     

    Regards

     

    Hubert

    CA Services



  • 3.  Re: SSO Machine Authentication

    Posted 12-07-2017 10:00 AM

    Thank You Hubert,

     

    If we use the cert + form, would SSO be able to take a generic attribute from the cert that simply identifies the device as 'company owned' independent of the user logging in...?

    For example, a check is done on the cert first to identify it as a corporate device, not tied to a user (=allow), then present a form that would prompt for valid user + password (a shared device)

     

    The objective is to expose the portal (Identity Portal, SSO protected) from anywhere, but only for corporate devices and from valid identities (although the cert will be a device cert, not a user cert)

     

    Thanks



  • 4.  Re: SSO Machine Authentication

    Posted 12-07-2017 10:24 AM

    Looks like we'll need the GB Module "Advanced Certificate Authentication for CA Single Sign-On". OOB CERT + FORMs won't suffice.

     

    QUESTION-1 : would SSO be able to take a generic attribute from the cert that simply identifies the device as 'company owned' independent of the user logging in...?

     

     

     

    QUESTION-2 : would SSO be able to take a generic attribute from the cert that simply identifies the device as 'company owned' independent of the user logging in...?

     

     

     

    I have provided inputs on a very high level. We'll need to POC this further into finer details. Especially the second requirement. I am probably going to call out @RichardSiek on this second requirement.

     

    Documentation for the GD Module : https://support.ca.com/phpdocs/7/5262/SmX509CertAuthuthInstallConfigV2_10.pdf

     

    Download for GD Module : https://support.ca.com/us/product-content/recommended-reading/technical-document-index/ca-global-delivery-packaged-work-product-module-index.html 



  • 5.  Re: SSO Machine Authentication

    Posted 12-07-2017 10:27 AM


  • 6.  Re: SSO Machine Authentication

    Posted 12-07-2017 10:53 AM


  • 7.  Re: SSO Machine Authentication
    Best Answer

    Posted 12-07-2017 10:52 AM

    To answer the question I would need to know exactly which attribute the customer wants to use to identify a certificate coming from an approved corporate device. It would also be very helpful if a sample public cert could be provided as well information on the attribute to be used to identify the cert.

    One other consideration is that the value of the attribute would have to exist within the user store entry for every user.



  • 8.  Re: SSO Machine Authentication

    Posted 12-11-2017 04:20 AM

    Thank You Richard,

     

    We don't know which attribute would be used as this is in early planning (so the customer doesn't know either).

     

    I could try to get a sample public cert as you mention...

     

    Thanks for helping..