Hi Mark,
It seems to integrate AA with SiteMinder Federation Partnership, you
need to delegate authentication as per mention :
Configuring CA Single Sign-On Policy Server
To use Advanced Authentication as MFA for CA SSO Federation
partnership, CA SSO delegates the authentication to Advanced
Authentication using the Advanced Authentication Authentication
Scheme. On successful authentication, CA SSO generates the assertion
and redirects the user to the service provider URL.
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/advanced-authentication/9-1/installing/ca-adapter-installation/configuring-ca-single-sign-on-policy-server.htmlDelegation can be configured as per SiteMinder documentation :
Delegated Authentication
Delegated authentication
CA Single Sign-on uses a third-party web access management (WAM)
application that CA Single Sign-on does not protect. The third-party
application authenticates any user who requests a protected federated
resource then forwards the federated user identity to CA Single
Sign-on. After CA Single Sign-on receives the user identity
information, it locates the user in its own user directory and starts
the federation process with the relying party.
A delegated authentication request takes place at the asserting party
and it can be initiated at the third-party WAM system or at CA Single
Sign-on. An authentication request can initiate at the relying party;
however this scenario is not considered delegated authentication.
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8-03/configuring/partnership-federation/delegated-authentication.htmlI hope this helps,
Best Regards,
Patrick
Original Message:
Sent: 04-04-2020 09:36 PM
From: Mark Ma
Subject: SiteMinder Reverse Proxy Server - Federation with OTP
Hi,
We are using SiteMinder Reverse Proxy Server to handle the federation. The Authentication URL is https://hostname/affwebservices/redirectjsp/redirect.jsp
Right now we are trying to add CA SSO Strong Authnetication (Arcot) into federation authentication process.
Under redirectjsp folder, I see there is otp.jsp and arcototp.jsp.
We have CA SSO Strong Authentication (Arcot) to protect our Web Applications.
In my SSO plolicy, I set otp.jsp has that arcot afm authentication scheme and changed federation authentication url to otp.jsp.
It work fine in some federation partnerships (but failed in one partnership). I am not sure that's correct way to set up OTP in the federation.
Do you have any document can help me to understand if I want to set up OTP in the federation process?
Thanks
Mark