Symantec IGA

Background:

Bulk user on-boarding from Active Directory into CA directory already completed, but now challenged to ensure that the end-user's first login into CA Identity manager is simple and synchronized. 

Question Detail:

Searching for Best Practice to implement CA Technologies Identity Manager authentication, without Siteminder, using customer's existing Microsoft Active directory passwords and policies. 

More specifically, what would be the best practice to setup first login for thousands of users, into CA IdM within and infrastructure devoid of Siteminder(SSO)?

More Technical Details:

Client predominantly uses Active Directory (as their authentication directory) within their enterprise, but CA IdM uses CA Directory user store for authentication, how best to unify these credentials? 

Limitations:

Meaning, Siteminder for whatever reason can't be utilized to authenticate users into IdM against Microsoft Active Directory, which would likely be the best approach, but nonetheless, thousands of users need to login to CA IdM (for the first time) and have no password set up in CA IdM user store.

Bottom Line:

How best can we unify these disparate authentication directories (CA Directory, Microsoft Active Directory) so that CA Identity Manager UI can make the best possible first impression to its user base when they login for the first time? 

Possible Solutions:

Have considered the following possible solutions: 

( 1 and 2 would require setting a new password, 3 and 4 wouldn't)

1- should forgotten password reset task be used? but does the user need to login to set security questions or can this be bypassed in the roles and tasks settings?

2- Can password sync / credential provider be used to catch AD password changes and synchronize them back up to CA IdM or would it just go to the provisioning server / store, and not make it to the corporate store? If password sync was feasible then couldn't all ad accounts require the user to reset password at next login, which would then update the same password to allow them to login to CA IdM? 

3- customize the CA IdM login authentication JSP to authenticate against AD instead of CA directory user store? 

4- make a secure LDAP bind from IDMGR to AD when AD is the user store and Siteminder is not in use. but this is an old approach, is there anything more updated? Also wouldn't this require creating a new directory and environment within the management console?

5- ..

*Please note, any hyperlinks above were just compiled while I was researching this on the communities and aren't directly related to this question. Above communities hyperlinks aren't directly related to this problem I'm trying to solve or solution being sought after, just simply that they further explain sections of these proposed solutions, which may many times be trivial, but sometimes help describe details in a different way, which I hope will help those reading it to better understand the bigger picture of the problem we're trying to solve. 

Thanks, appreciate the help.

Chris. 

One commonly-used technique is (a variation on your #2) for implementations that take a few months - set up the production environment with a bare-bones set of roles / tasks (so you can load up the roles/tasks from dev/test later). Bulk-load just the core attributes of a the accounts into the corporate user store. Set up the AD password sync agent on the domain endpoints, and begin capturing those password changes and propagating that to the provisioning server. This will update the corporate store password too. I've missed a few steps, but the general approach is to load up the user accounts, capture the password changes for the 60-90 day period where users change their passwords, and you'll have valid passwords for 90% of the users when you open for business.

Hey Kevin,

I agree #2 would be ideal, but its major downfall is the time it takes to implement. How best to provide access to IdM without any further delays?  Has there been any testing with the credential provider for resetting ad user passwords in bulk? Meaning perhaps expiring all the ad user passwords simultaneously to generate thousands of password changes  and get user passwords in sync with IdM or is there a chance you could overload the password reverse sync operations.

Is there any commonly used self service task approach or combination of above approaches, which would alternatively allow users to login without just having to wait for the magic to happen? Like perhaps implementing the credential provider in combination with self service approach, so if the user doesn't set the password themselves, the credential provider may just magically do it for them the next time they set their ad password. 

Thanks,

Chris. 

I think the first thing you need to determine is what should/will be the authentication store moving forwards. It sounds like AD is the authentication store in place today. Will that continue to be the case and if so does your design want IM to leverage that authentication store as well or not. 

I believe CA Global Delivery offers a authentication module (at a cost) that will authenticate against Active Directory so that you can achieve that type of functionality without integration with Siteminder. You can check with your CA Account Representative concerning that route which I believe is along the option #3 you listed. I know other customers have done that.

Option #4 is not really an option as your IME will use the IM UserDir associated with the IME.

Option #2 won't work unless you forced all end-users to reset their password on the AD endpoint natively as you would need the passwords to be changed for the PSYNC Agent to catch it and this assumes that the AD accounts have been explored/correlated to a provisioning user and that a corresponding IM user already exists.

Option #1 requires the questions/answers to be set (either by end user or you would need to go through and pre-populate with questions/answers but that could be a challenge to know what values to use if you were doing it yourself.

Hi Ken,

I agree we shouldn't be trying to reinvent the wheel and simply authenticate against active directory, but am confused why Siteminder supports AD authentication, out of the box, but identity manager without siteminder doesn't support Active Directory authentication, especially when it seems that a solution already exists from GD and is documented somewhere. I'm confused why wouldn't CA post this as a technical document or draft a communities post to help transform this into  an Out of the Box feature and thereby improving deployments devoid of siteminder, which may represent quite a few customer deployments? Or is the lack of published information incentive for those customers to purchase siteminder and enable this configuration without the use of GD? 

Thanks,

Chris.

Hi Chris,

Your proposal seems quite practical and avoids the impact of all users resetting passwords at the same time.

But it leads me to 2 questions:

1) Where could I find information about the solution that "exists somewhere"?

2) Assuming it is possible, would it be a good approach to have it in place for 60-90 days (password expire time) and, after, changing the authentication to IdM?

Thank you,

Paulo

After contemplating the feedback from this post, I think the best approach is to utilize a combination approach; 1) put the psync agents in place to capture all new password changes and 2) utilize the untested approach of bulk updating password hashes from MS AD to CA Directory. 

I haven't tried this trick, but some other folks have and say it works.

You can run a Powershell script to extract the password hash from Active Directory:

https://www.dsinternals.com/en/retrieving-active-directory-passwords-remotely/

Then, load those into the user entries in CA directory. Put {NTLM} in front of the hashed password when you import hashed password into CA Directory. When a user changes the password from Identity Manager, its hash format will be changed based on CA Directory password hash option.

I have tried this approach and it works, there are a couple things to note.

1. Ca Directory supports 2 schemes {NT} and {NTLM}. 

{NT}, represents NTLM

{NTLM}, represents the LM hash.

2. The gathered hash whether its the NTLM or the LM hash, it has to be base64 encoded.

Now, after encoding you can use the result on setting the userPassword value.

Example for the Windows NTLM hash: userPassword: {NT}Afxaa+e8aSmq07Q1tRQE7g==

In all, I used the DSInternals PwerShell script to obtain the hashes. I then used Pentaho to do a base64 encode on the hashes and perform the LDAP add operation.

There are other challenges that looms on user migration from AD, but this one is a huge victory.....

-Jose R