Arun ArunGoswami007
Irrespective of the CA SSO version (R12.52 / R12.7 / R12.8); bottemline is .....
- If SSO to Azure Cloud is needed, then we do federation (as per the link provided from CA SSO Documentation by Vijay).
- If MFA to Azure MFA is needed, then one option is Radius Authentication.
There is no direct integration with Azure MFA (MultiFactor Authentication) from any CA SSO version e.g. using a 302 redirect from CA SSO Authentication Scheme to Azure MFA (MultiFactor Authentication).
The simpler supported way that I know of is going the Radius route. Here is how I envision the flow to be.
- CA SSO will challenge the user for Credentials. CA SSO Web Agent will collect the user name / password / token.
- CA SSO Policy Server will validate the username / password with onPremise AD.
- CA SSO Policy Server will make a call to NPS using Radius Protocol to validate the Token.
- NPS will speak with Azure MFA on Cloud to validate Token and pass a response back to CA SSO Policy Server.
- CA SSO Policy Server based on the response back from NPS / Azure MFA; will take a final call whether user is authentication OR not.
- If all is success, then CA SSO Policy Server would send IsAuthenticated() success to CA SSO Web Agent.
Here in this link, there is a high level explanation.
Use existing NPS servers to provide Azure MFA capabilities | Microsoft Docs
Have we reached out to Azure MFA User Forums and asked the same question, just for surety / reassurance, on how Microsoft recommends using Azure MFA in conjunction with 3rd Party Access Management Products. I'd do that as well to see Microsoft's perspective as well.
Regards
Hubert