New features are always added to the solution stack, some seem to slide in with minimal awareness.
This is one, that I know customers have asked for, and I am pleased to see that it was introduced in to the r14.0/14.1 releases that does not require any SSO solution integration.
Take a look. Note, that if you have multiple AD (Microsoft Active Directory) domains, you may still wish to introduce CA SSO to allow "directory chaining" for authentication, e.g. use many, many userstores to search or use with CA SSO + AA for step-up authentication to use one-use tokens.
Edit: 5/31/2018 update hyper links & attach PDFs - If hyperlinks fail in future, use docops.ca.com to search "CA Identity Manager" for active directory authentication module.
Manage Active Directory Authentication Module - CA Identity Manager - 14.1 - CA Technologies Documentation
Manage Authentication Module Properties - CA Identity Manager - 14.2 - CA Technologies Documentation
By default, CA Identity Manager comes with an out-of-the-box authentication module. This module authenticates the user against the directory that is configured for their environment. The user can also be authenticated to an external Active Directory using the following procedure. You can also encrypt ADMINPWD and KEYSTOREPWD instead of leaving them as clear text.
Note: The Active Directory endpoint must be provisioned by CA Identity Manager so the Active Directory accounts are synchronized with the CA Identity Manager user store. This procedure also assumes that the administrator is proficient with Active Directory.
Follow these steps:
In the Authentication provider module class name field, enter the following value:
This architecture allows use of a separate userstore (CA Directory) for access, but then use AD as the authentication store (AN). This assumes that active users (that will authenticate) are 1:1 between the two (2) userstores.
- Recommendation: Review the pro/cons of userstore design/considerations.
- How to choose a good corporate user store for the CA IM solution
This approach works for a reduced sign-on solution, if the %USER_ID% or %LOGIN _ID% field in the IM User Store maps to the sAMAccountName or userPrincipalName, depending on the IM and AD configurations. Any thoughts on extending the AD Authentication Module to support an IWA session token to implement single sign-on without SiteMinder?
This might be an Ideation topic.
I would support that idea! I am not aware of any method to support the IWA session token but I can see the value of this.
Side note: I like the thought of this new session method; as I could see it also supporting an automated (crontab) auto-rolling-restart of the solution J2EE components, useful for debugging or troubleshooting stuck-in-progress challenges:
/opt/CA/wildfly-idm/bin/jboss-cli.sh --connect --user=jboss-admin --password=Password01! --command=":reload"
/opt/CA/wildfly-idm/bin/jboss-cli.sh --connect --user=jboss-admin --password=Password01! --command=":shutdown(restart=true)"
Useful Wildfly/JBOSS CLI Monitoring Scripts