Symantec Access Management

Hello,

 I have a few questions about the newly introduced External Authentication Service authentication scheme.

 The documentation mentions about OpenID Connect as the method of communication with the external provider, but doesn't include any specifics on what authorization flows should be configured at the external provider, as far as the OIDC protocol is concerned. Is the authorization_code flow that needs to be configured or is it another ? If we're to use another Siteminder instance as OIDC Provider in this authentication scheme, what would be the configuration parameters for an OIDC Client that would be needed on the Siteminder side ?

  The office ours session in Feb 2025 mentioned this authentication scheme as being (primarily) created for integrating 3rd party MFA solutions as a 2nd MFA verification step in a MFA authentication scheme - is there a list of MFA/OTP providers that have been tested/certified in this authentication scheme ?

Hi Cristi,

We recently upgraded to R12.9 and took advantage of the new feature "External Authentication Service" auth scheme, but we needed to integrate with Microsoft Entra ID as the delegated authentication service provider which unfortunately is not yet supported until the release of R12.9 SP1.  We reached out to Broadcom and they provided us with some "patch" files which allows the R12.9 to support Entra ID as the OIDC provider for the delegated authentication service provider.

We used the below instructions from Broadcom to complete the setup of our External Authentication Service auth scheme using Entra ID as the OIDC authentication service provider, but I felt that the instructions were not quite specific enough, especially regarding the importing of the "trusted server SSL certificate".

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-9/implementing/integrations/integration-with-an-external-authentication-provider.html

What this new External Authentication Service auth scheme does for us is it allowed us to stop using the Windows authentication scheme (NTLM) and instead use Microsoft Entra ID as a delegated authentication service to send our "employee" user identity to SiteMinder.  When our employees attempt to access any web applications that are protected by SiteMinder and using the Windows Authentication scheme, SiteMinder would then rely on Entra ID to capture the user's identity and then using OIDC to send that user identity to SiteMinder.  This scenario only works if your employees login to their devices through either Entra joined only or hybrid joined.