We have Standard SiteMinder Policy Server/WebAgent setup, SPS for federation for Session DNA and API Gateway solution in house. Now we have a requirement for an application protected by SM(no SPS in this case), to identify a user's devide and prompt them for credentials accordingly. Is this possible by standard PS/WA combo? If not , do I need to add SPS to the mix? Is there any tech note that has been published around this use case, I am sure lots of people have similar use case. Appreciate any insights as usual. Thanks in advance.
Also check out this link:
Hey I found this at :CA SiteMinder® SPS Integrated Documents 12.52 SP1
Supports multiple device types
Through a set of proxy rules, CA SiteMinder® SPS forwards, or redirects, requests based on the type of device issuing the requests. For example, all initial requests can be directed at CA SiteMinder® SPS, which forwards requests to destination servers based on device types. Browser requests can be redirected to destination servers, and CA SiteMinder® SPS handles wireless requests.
Can this be useful to my case?
Authentication schemes are tied to a realm only. So as long as the realm (agent and resource combination) is the same you are going to trigger the same authentication scheme.
Now, thinking of it, what I think you should be able to do is, write a custom authentication scheme and pass this user's device info as a parameter to the the authenticate() method.
You can refer to the following post on how to collect additional information and pass to the custom authentication :
Tech Tip : CA Single Sign-On :Policy Server:How to collect additional attribute using custom authentication
Then, depending upon the user device info collected , you can fork the authentication scheme as you like (e.g send different challenge form etc )
This leaves you with the main task of collecting user device info. This is something that you will have to take care of in your custom login page with your own logic and is something SiteMinder can't help.
Hope this helps (albeit a very little )
Ujwol's Single Sign-On Blog
Sounds like it may be.
So, you can utilise this feature to identify device type and redirect to different resources on the backend which are protected by different device type.
Have you tried this?
Thank You Ujwol.
Do you see a possibility with SPS and SM combo providing this OOB in future? I see that SPS collecting user-agent to some extent in the current version.
I am assuming this as a common problem.
I have nt yet. I will try and let you know how it goes.