Symantec Access Management

  • Private Community
 View Only

  • 1.  Seperate authentication scheme based on the client type

    Posted Sep 29, 2016 11:17 AM

    We have Standard SiteMinder Policy Server/WebAgent setup, SPS for federation for Session DNA and API Gateway solution in house. Now we have a requirement for an application protected by SM(no SPS in this case), to identify a user's devide and prompt them for credentials accordingly. Is this possible by standard PS/WA combo? If not , do I need to add SPS to  the mix? Is there any tech note that has been published around this use case, I am sure lots of people have similar use case. Appreciate any insights as usual. Thanks in advance.



  • 2.  Re: Seperate authentication scheme based on the client type
    Best Answer

    Posted Sep 29, 2016 08:06 PM

    Hi Anil,

     

    Authentication schemes are tied to a realm only. So as long as the realm (agent and resource combination) is the same you are going to trigger the same authentication scheme.

     

    Now, thinking of it, what I think you should be able to do is, write a custom authentication scheme and pass this user's device info as a parameter to the the authenticate() method.  

     

    You can refer to the following post on how to collect additional information and pass to the custom authentication :

    Tech Tip : CA Single Sign-On :Policy Server:How to collect additional attribute using custom authentication 

     

    Then, depending upon the user device info collected , you can fork the authentication scheme as you like (e.g send different challenge form etc )

     

    This leaves you with the main task of collecting user device info. This is something that you will have to take care of in your custom login page with your own logic and is something SiteMinder can't help.

     

    Hope this helps (albeit a very little ) 

     

    Regards,

    Ujwol

    Ujwol's Single Sign-On Blog 



  • 3.  Re: Seperate authentication scheme based on the client type

    Posted Oct 05, 2016 12:05 PM

    Thank You Ujwol.

    Do you see a possibility with SPS and SM combo  providing this OOB in future? I see that SPS collecting user-agent to some extent in the current version.

    I am assuming this as a common problem.



  • 4.  Re: Seperate authentication scheme based on the client type

    Broadcom Employee
    Posted Oct 03, 2016 04:31 PM

    Anil,

    Also check out this link:

    https://communities.ca.com/thread/99765940



  • 5.  Re: Seperate authentication scheme based on the client type

    Posted Oct 17, 2016 06:07 PM

    Hey I found this at :CA SiteMinder® SPS Integrated Documents 12.52 SP1 

     

    Supports multiple device types

    Through a set of proxy rules, CA SiteMinder® SPS forwards, or redirects, requests based on the type of device issuing the requests. For example, all initial requests can be directed at CA SiteMinder® SPS, which forwards requests to destination servers based on device types. Browser requests can be redirected to destination servers, and CA SiteMinder® SPS handles wireless requests.

     

    Can this be useful to my case?



  • 6.  Re: Seperate authentication scheme based on the client type

    Posted Oct 20, 2016 07:56 AM
    Hi Anil,


    Sounds like it may be.

    So, you can utilise this feature to identify device type and redirect to different resources on the backend which are protected by different device type.


    Have you tried this?

     




  • 7.  Re: Seperate authentication scheme based on the client type

    Posted Oct 26, 2016 06:31 PM

    I have nt yet. I will try and let you know how it goes.