Symantec Access Management

Expand all | Collapse all

Authentication Chaining for IWA on 4 AD domains

Jump to Best Answer
  • 1.  Authentication Chaining for IWA on 4 AD domains

    Posted 11-17-2017 10:10 AM

    I'm interesting about details on the new feature named Authentication Chaining.

     

    Use Case: we have 4 AD domains + 1 LDAP as user-stores for all the applications to integrate with SSO and we would like implement the IWA for all the 4 AD domain before to fallback to the HTML Form authentication.

     

    Idea: create an Authentication chain with 4 Windows Authentication Schemes (one for each AD domain) and finally the HTML Form Authentication Scheme for the fallback.

     

    Questions:

    • The Authentication Chaining could be the right approach?

    In case:

    • Is the CA Access Gateway a requirement for Authentication Chaining feature?
    • Do I have to install at least 4 CA Access Gateway instances, one for each AD domain?
    • How many authentication modules/scheme can be defined into the authentication chain?
    • Can I set only one HTML Form fallback authentication at the end of all the Windows Authentication Schemes?


  • 2.  Re: Authentication Chaining for IWA on 4 AD domains

    Broadcom Employee
    Posted 11-20-2017 02:51 AM
    Hi Gabriele,
    Yes, this is the right choice !
    From documentation, you'll see that this functionality is limited to CA Access Gateway.
    schemes/authentication-chaining/configure-iwa-fallback-to-forms-using-authentication-chain
    For former Web Agent, you can refer to this page :
    In combination with Virtual Host, you can define different Authentication Scheme by Windows Domain you need.
    I hope this helps,
    Best Regards,
    Patrick


  • 3.  Re: Authentication Chaining for IWA on 4 AD domains

    Posted 11-20-2017 03:42 AM

    Hi Patrick,

    may you elaborate a little more your answer?

     

    I understood to use Authentication Chain feature I need CA Access Gateway and the CA SSO

     

    • Do I have to install 4 CA Access Gateway instances, one for each AD domain? or one single CA Access Gateway can manage the Windows Authentication for alla the AD domains? 
    • How many authentication modules/schemes can be put into one authentication chain? In other words, I can put into one single Authentication Chain object all the following scheme:
      • Windows Authentication on Domain A
      • Windows Authentication on Domain B
      • Windows Authentication on Domain C
      • Windows Authentication on Domain D
      • and finally the one for all fallback scheme to Form-based?

             Or I have to create 4 Authentication Chain objects with the pair Domain X + fallback Form-based: 

    • Windows Authentication on Domain A + fallback scheme to Form-based
    • Windows Authentication on Domain B + fallback scheme to Form-based
    • Windows Authentication on Domain C + fallback scheme to Form-based
    • Windows Authentication on Domain D + fallback scheme to Form-based

     

    Thanks and regards,

    Gabriele



  • 4.  Re: Authentication Chaining for IWA on 4 AD domains
    Best Answer

    Broadcom Employee
    Posted 11-22-2017 09:14 AM

    Based on documentation/Prerequistes

    https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/ca-siteminder-sps-configuration/configure-ca-siteminder-sps-to-support-integrated-windows-authentication#ConfigureCASiteMinder%C2%AESPStoSupportIntegratedWindowsAuthentication-VerifythePrerequisites

    Number 2 - Add CA Access Gateway host as a member of domain host for the Windows domain controller.

    • Do I have to install 4 CA Access Gateway instances, one for each AD domain? or one single CA Access Gateway can manage the Windows Authentication for alla the AD domains? 

     

    Yes based on prerequisites

     

    CA Access Gateway server 1 member of Domain A - Windows Authentication on Domain A + fallback scheme to Form-based

    CA Access Gateway server 2 member of Domain B -Windows Authentication on Domain B + fallback scheme to Form-based

    CA Access Gateway server 3 member of Domain C - Windows Authentication on Domain C + fallback scheme to Form-based

    CA Access Gateway server 4 member of Domain D - Windows Authentication on Domain D + fallback scheme to Form-based