Symantec Access Management

Team,

We have a requirement to integrate yubikey based authentication in CA SSO or CA AA. I am aware that CA SSO or CA AA doesn't provide OOTB integration for the same, therefore i am looking for possible alternatives for integrating yubikey with CA SSO or CA AA.

Any pointers is appreciated.

Thanks,

Shivam

Hi Shivam

YubiKey is a piv card right?

You are using it with x509 cert auth, right?

Best Regards

Terry, yes. Yubikey is a piv card.

I am not sure how to enable the integration via x509 cert, but from what i have explored on integration of yubikey with CA is that we have to write a custom authentication module to achieve it. 

I need to know if CA SSO or CA AA OOTB supports it. If not, how can i achieve it. I would be grateful if you can provide any pointers. 

Thanks,

Shivam

If it is not listed in the CA support matrix, then its safe to say CA has not tested it, and therefore it is not certified.  Support would be best efforts.

https://support.ca.com/us/product-content/recommended-reading/technical-document-index/ca-siteminder-informational-documentation-index.html#PSM

It is possible our partners have tested it and for that you can check the numerous runbooks listed:

https://support.ca.com/us/product-content/recommended-reading/product-related-technical-information/ca-single-sign-on-ca-secure-cloud-security-saas-validation-program-runbook-library.html

Shivam, Have you looked at this?  Would this help?

Information Card Authentication Schemes - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation 

- Regards. Vijay

If it truly is a PIV certificate, and if it appears as a smartcard to the host OS (even though it is in a Yubikey4 form factor), you could potentially use the X.509 Advanced Auth Scheme from Global Development. This is what we use for standard PIV auth against CA SSO. This auth scheme lets you pull custom attributes out of the SAN of the piv card. For example we parse the FASC-N to map to an identity.