Symantec Access Management

  • Private Community
 View Only

  • 1.  Is there a way to get the username from the Windows Authentication Scheme?

    Posted Mar 15, 2019 04:23 PM

    Hello members,

     

             I have a specific need on an integration that we have. We have a custom authentication scheme where we leverage the HTML Form(username/password) and in the custom auth scheme we get the username to redirect to our integration and everything works just fine. 

     

             I now have an urgent need to not use HTML Form and instead use Windows Authentication for 1st factor authentication. Our custom authentication scheme is expecting a username in order to pass it to 2nd factor authentication. So I need to find out if it is possible to get the username from a Windows Authentication Scheme somehow in SiteMinder so I can pass it to my custom authentication scheme.

     

    Thanks in advance.



  • 2.  Re: Is there a way to get the username from the Windows Authentication Scheme?

    Broadcom Employee
    Posted Mar 21, 2019 08:30 AM

    Hi Ricardo,

     

    Please apologize to come late on this case.

     

    I understand that you'd like to know how to set your Custom
    Authentication Scheme in order to get the username from the request
    and set it in the Username field as value.

     

    We don't provide in Web Agent tools to do it. But may have you a
    chance to get it using Microsoft libraries in your Custom
    Authentication Scheme. I've found this link which might give you
    guidance on this :

     

    How To: Use Windows Authentication in ASP.NET 2.0
    https://docs.microsoft.com/en-us/previous-versions/msp-n-p/ff647405(v=pandp.10)

     

    Note that in Windows Authentication Scheme, SiteMinder only trusts the
    authentication done by the IIS server.

     

    Hope that helps,

     

    Patrick



  • 3.  Re: Is there a way to get the username from the Windows Authentication Scheme?

    Posted Mar 23, 2019 07:19 AM

    Hi Ricardo,

     

    Not sure if this applies to you. if your 2nd factor authentication is a web form (like one time pin), you can do something like this.

     

    Protect your web resource using your 2FA custom auth scheme with a higher protection level. This will redirect to your 2FA form URL.

     

    Protect your 2FA form URL using IWA auth scheme. This will redirect to your IWA .ntc resource for authentication. once authenticated, you should be redirected to your 2FA form.

     

    in the 2FA form, you can use SM_USER header to get the login ID. It may come with the domain portion like 

    SOME_DOMAIN\SOME_USERNAME

     

    If you don't want the domain part, just programmatically split and get the part you want. and you can use that further in your 2FA authentication process.

     

    so the flow is like this

     

    attempt access protected resource URL -> auto redirect to 2FA form URL -> auto redirect to IWA .ntc -> redirect back to 2FA form -> successful 2FA auth redirects to originally attempted protected resource URL.

     

    On a sidenote, since you are using IWA, best to enable a form fallback using authentication chaining.

    https://docops.ca.com/ca-single-sign-on/12-8/en/configuring/policy-server-configuration/authentication-schemes/authentication-chaining

     

    Hope this helps someone.

     

    regards,

    Zen