We are using R12.7 SSO Policy Server with R12.7 Access Gateway in client's environment and now requirement is to do O365 integration using federation services with CA Access Gateway. Some of the queries below if someone can help:
1) Can we do POC with Microsoft Test Tennat which has one month free subscriptiop. Also For doing POC with Test Tennat, do we need to register Domain for test tennat with ISP.
2) Can we do POC without user sync, like manual approch of adding test user in Azure AD with same attributes.
For Actual Implementation:
1) Do we really need "DMZ Proxy" and STS services on Internet if organization want O365 access to be restrcited to with in the network only. I understand this is not a good option but somehow business want this way.
2) Do we really need to do separate setup for IWA (Integrated Windows Authentication) that uses NTLM ?? The reason I am asking is, I can see in documentation that STS needs to be enabled with IWA using KDC with below steps:
Configure the CA Access Gateway Administrative UI.a.Open the CA Access Gateway Administrative UI, navigate to Web Services, and Security Token Service.b.Configure the following fields in the STS IWA Configuration section:
KDC Address: Defines the fully qualified domain name and port of the KDC.
Kerberos Realm: Defines domain name of the KDC machine.
Keytab: Defines the path to the Keytab file that you generated.
Principal: Defines the Service Principal Name (SPN) value that a client uses to uniquely identify a service instance. Example, HTTP/casso-sps.caofficedemos.com
HTTP: Indicates the service name.
casso-sps.caofficedemos.com: Indicates the CA Access Gateway fully qualified host name.
3) How the solution work for Mobile users ?
Any further guidance for O365 integration will be of great help.
For Poc: 1) Can we do POC with Microsoft Test Tenant which has one month free subscription. Also For doing POC with Test Tenant, do we need to register Domain for test tenant with ISP.
If you are doing PASSIVE Profile, then you do not need Internet accessibility, nor would you need STS on CA AG. Unless you want it accessible from a mobile device which is not connected to a office network.
If you are doing ACTIVE Profile, then you'll need to access the STS on CA AG from Internet. Your STS on CA AG should preferably be on the Organization DMZ network.
No, it is not mandatory. We support Basic, Forms, Windows Authentication.
Microsoft Office 365 - CA Single Sign-On - 12.8 - CA Technologies Documentation
In Passive Profile, it is dependent on the Authentication Scheme which protected the Authentication URL in the Partnership. This support both Forms and IWA based Auth Scheme.
In Active Profile, STS can request clients to authenticate using WSUSERNAME (User will be prompted to enter Credentials) or STS can request clients to authenticate with windows login information (Kerberos / NTLM). The Support for STS being able to ask for Windows Login was introduced in R12.52 SP1 CR04 (both PS and CA AG must be minimum on R12.52 SP1 CR04 for Active Profile Supporting IWA / Kerberos). Versions below R12.52 SP1 CR04 only support challenge for Credentials and do not support IWA in Active Profile.
I think the real question is are Mobile Users accessing from Intranet and / or from Internet. I think when we speak Mobile users, it is always the latter (i.e. Internet, including intranet also).
Irrespective, as long as your solution is internet facing, it should work from Browser (PASSIVE Profile) and / OR Rich Client (ACTIVE Profile).
Single Sign-on to Office 365 - CA Single Sign-On - 12.8 - CA Technologies Documentation
Passive Profile : SAP Portal Services
Thanks for the detailed reply and it helped a lot. I would appreciate if you can provide your view on below follow up queries:
Also Solution scope is to have "Active Profile" with Deskop SSO for business users:
1) As we have to do this integration with Active profile with windows authentication scheme, Can we use native NTLM IWA setup OR do we really need kerbros authentication here as mentioned in below step. Also if we go with kerbros then do we need to do seperate setup for IWA on Windows / IIS servers ?
2) For Mobile Users, we have below two use case:a) Mobile user access from internet --> In this case, how IWA will work ?b) Mobile user access with MaaS360(Mobile VPN for organization) --> again how IWA / Authentication will work in this case.
Once again in last, I am still confused whether we need to do complete IWA as seperate setup on windows IIS servers for O365 integration that use Native NTLM approch and do we need any seperate license for IWA setup ?
There are various things in play here. But let me keep it simple for now. You only need CA AG to make IWA or Kerberos working. CA AG support IWA, if CA AG is installed on Windows and CA AG supports Kerberos, if CA AG is installed on non Windows e.g. Linux. You do not need IIS nor Web Agent to make IWA or Kerberos working. If you already have a working IWA or Kerberos setup using Web Agent based solution, then its fine to reuse that. But if you are building something from scratch, then all you need is CA AG and Policy Server (for your entire solution i.e. IWA or Kerberos and Active Profile SSO to O365).
SPS for IWA Authentication
IWA with SPS 12.6 in Linux
Access gateway 12.7 on Linux can support Windows Authetication scheme?
IWA to Form Failback, I think from what I'm hearing from you, it is best if you install CA AG on Windows. That way you can avail of IWA to Forms failback which is supported from R12.7. This way when User accesses from Internet, IWA will fail and redirect to Forms Authentication Scheme.
Authentication Chaining - CA Single Sign-On - 12.8 - CA Technologies Documentation
Configure IWA Fallback to Forms Using Authentication Chain - CA Single Sign-On - 12.8 - CA Technologies Documentation
But this is basically designing the right design. So here is another perspective I'd like you to consider. Federation POC setup on the basis of origin of request
Kerberos failover to Forms is still not GA (not available in R12.8); albeit, we (CA) has provided a patch to one customer to make this work. I anticipate this to be available in near future in possibly the next releases.
Thanks for making it very simple for me and its really helpful. So in total we already have i) SSO Policy Server 12.7 on linux and ii) CA Access Gateway 12.7 on linux and our requirement is to have O365 integration with desktop SSO and from the comments what I can conclude is:
1) We need to have STS exposed to internet and this can be done either putting CA AG in DMZ or have a apache proxy in DMZ and which forward the request to CA AG STS services.
2) Since CA AG is installed on linux so it need Kerbros. No need of seperate IWA setup.
So now, for mobile users from internet, since CA AG on linux and it doesn't support fallback on forms so how the solution will work. Is there any alternative other than installing CA AG on windows ? Actually we already have the CA AG on linux so customer wouldn't want to go to windows.
Also pls note, we have other integrations working with same Access Gateway like S.Now, Successfactor & many others so enabling CA AG with kerbros will not make any impact to existing applications ? is that correct or do we really need separate Access Gateway for O365 integration.
This would be my last query and I will be thankful to you if you can spend few mins to answer it.
You could use the current install of CA AG for Internal Traffic and Build new instances of CA AG on the same server (or new server) for Internet Traffic. Refer this blog https://communities.ca.com/thread/241813265-federation-poc-setup-on-the-basis-of-origin-of-request
If Client IP is Internal Route traffic to Internal CA AG STS. If Client IP is Internet Route traffic to External CA AG STS. Most important gap for me is if you do not have Internal CA SSO PS and External CA SSO PS, then both CA AG would speak to a Single O365 Partnership. Which then makes it very challenging.
You'll need to PoC this out with a single O365 partnership on CA SSO PS. I don't know a lot about your infrastructure. Hence skeptical to talk too much assured design over a community blog without reviewing the Customer Infra.
I'd say its best we engage CA Services beyond this as it would be beneficial to design this right.
Thanks for detailed clarification and we have recommended customer to have the solution reviewed by CA Services.
In the mean time, there is a ask that can we enable MFA (OTP based) for O365 integrations specially the browser based scenarios.
MFA (OTP based) for Passive Profile is fine. However when we do so we also need to thinking ahead (for e.g. enabling Active Profile in future).
As for the question, It is enabling a relevant Authentication Scheme (for e.g. Radius OR XAuthRadius) and associating that with the Authentication URL in Partnership.
So it really depends what kind of MFA (X509, Radius, 3rd Party Product Integration) and for which segment of users (Intranet OR Internet OR both).