Symantec IGA

Hi Team,

We have configured the CA-AA connector within CA-Identity Portal.  Configured the QnA authenticator, authenticator rules, task permission and execution plans.   User able to login into CA-Identity Portal and request for the QnA successfully. 

But when activating the QnA from CA-Identity Portal, user is required to set the Question and Answer.  Problem is the Questions are not propogated from defined questions in CA-AA.  User not able to select the predefined CA-AA Questions.

How can we get the predefined CA-AA questions and display on the CA-Identity Portal QnA setup screen?

Does anyone in the greater user community have any suggestions for Hock?

------------------------------
Best regards,

Scott Owens
Sr Support Engineer
Enterprise Software Division
Broadcom Inc.
------------------------------

Original Message:
Sent: 10-07-2019 05:45 AM
From: HOCK KEONG QUAH
Subject: CA-Advanced Authentication QnA in CA-Identity Portal

Hi Team,

We have configured the CA-AA connector within CA-Identity Portal.  Configured the QnA authenticator, authenticator rules, task permission and execution plans.   User able to login into CA-Identity Portal and request for the QnA successfully. 

But when activating the QnA from CA-Identity Portal, user is required to set the Question and Answer.  Problem is the Questions are not propogated from defined questions in CA-AA.  User not able to select the predefined CA-AA Questions.

How can we get the predefined CA-AA questions and display on the CA-Identity Portal QnA setup screen?

Typically AA QnA would read the same QnA IDM has defined / utilized.  However currently this is only achievable by custom code to consume IDM TEWS. 

I also reviewed the Strong Auth connector ​docs - http://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/identity-management-and-governance-connectors/1-0/connectors/ca-connectors/ca-strong-authentication.html

This seems to be expected behavior of the connector but I agree with your approach and the connector should synchronize the QnA between both products.  I would raise an enhancement request or maybe support can better explain. 

"Note: QnA credentials are not synchronized. Both are fully supported and should be thought of as separate credentials. Use one of the approaches in this table, but not both."
Original Message:
Sent: 10-07-2019 05:45 AM
From: HOCK KEONG QUAH
Subject: CA-Advanced Authentication QnA in CA-Identity Portal

Hi Team,

We have configured the CA-AA connector within CA-Identity Portal.  Configured the QnA authenticator, authenticator rules, task permission and execution plans.   User able to login into CA-Identity Portal and request for the QnA successfully. 

But when activating the QnA from CA-Identity Portal, user is required to set the Question and Answer.  Problem is the Questions are not propogated from defined questions in CA-AA.  User not able to select the predefined CA-AA Questions.

How can we get the predefined CA-AA questions and display on the CA-Identity Portal QnA setup screen?

Hi Jack,

Thanks for your update.  Yes, enhancement request to sync both AA and IDM QnA will be best solution.

Currently, in our setup, we are using the Identity Portal Admin UI to configure: -

• CA Advanced Authentication Connector
• Authenticator
• Authenticator Rules
• Target Permissions
• etc

We did not define IDM Connector for CA Advanced Authentication.  Also, the IDM QnA is not used.

The configured connector somehow is pre-configured with authenticator type QnA, OTP, User Password and ArcotID PKI.   When we complete the configurations, user is able to request for the QnA.  And to define the Questions and Answers, user just need to goto User->Settings.

When defining the QnA, the questions are not displayed on the screen.  However, when we perform "inspect" on the page, we can see the Questions are passed on to the Identity Portal.  It just now display as drop-down for users to select. 



We are not sure if there additional configurations required.  Not able to find further documentation on this.  Any advise on how to get questions get onto the user screen?


Original Message:
Sent: 10-09-2019 09:10 AM
From: Jack Saunders
Subject: CA-Advanced Authentication QnA in CA-Identity Portal

Typically AA QnA would read the same QnA IDM has defined / utilized.  However currently this is only achievable by custom code to consume IDM TEWS. 

I also reviewed the Strong Auth connector ​docs - http://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/identity-management-and-governance-connectors/1-0/connectors/ca-connectors/ca-strong-authentication.html

This seems to be expected behavior of the connector but I agree with your approach and the connector should synchronize the QnA between both products.  I would raise an enhancement request or maybe support can better explain. 

"Note: QnA credentials are not synchronized. Both are fully supported and should be thought of as separate credentials. Use one of the approaches in this table, but not both."
Original Message:
Sent: 10-07-2019 05:45 AM
From: HOCK KEONG QUAH
Subject: CA-Advanced Authentication QnA in CA-Identity Portal

Hi Team,

We have configured the CA-AA connector within CA-Identity Portal.  Configured the QnA authenticator, authenticator rules, task permission and execution plans.   User able to login into CA-Identity Portal and request for the QnA successfully. 

But when activating the QnA from CA-Identity Portal, user is required to set the Question and Answer.  Problem is the Questions are not propogated from defined questions in CA-AA.  User not able to select the predefined CA-AA Questions.

How can we get the predefined CA-AA questions and display on the CA-Identity Portal QnA setup screen?