Symantec Access Management

Hi,

We are using SiteMinder Reverse Proxy Server to handle the federation. The Authentication URL is https://hostname/affwebservices/redirectjsp/redirect.jsp
Right now we are trying to add CA SSO Strong Authnetication (Arcot) into federation authentication process.
Under redirectjsp folder, I see there is otp.jsp and arcototp.jsp.
We have CA SSO Strong Authentication (Arcot) to protect our Web Applications.
In my SSO plolicy, I set otp.jsp has that arcot afm authentication scheme and changed federation authentication url to otp.jsp.
It work fine in some federation partnerships (but failed in one partnership). I am not sure that's correct way to set up OTP in the federation.

Do you have any document can help me to understand if I want to set up OTP in the federation process?

Thanks

Mark

Hi Mark,

It seems to integrate AA with SiteMinder Federation Partnership, you
need to delegate authentication as per mention :

Configuring CA Single Sign-On Policy Server

To use Advanced Authentication as MFA for CA SSO Federation
partnership, CA SSO delegates the authentication to Advanced
Authentication using the Advanced Authentication Authentication
Scheme. On successful authentication, CA SSO generates the assertion
and redirects the user to the service provider URL.

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/advanced-authentication/9-1/installing/ca-adapter-installation/configuring-ca-single-sign-on-policy-server.html

Delegation can be configured as per SiteMinder documentation :

Delegated Authentication

Delegated authentication

CA Single Sign-on uses a third-party web access management (WAM)
application that CA Single Sign-on does not protect. The third-party
application authenticates any user who requests a protected federated
resource then forwards the federated user identity to CA Single
Sign-on. After CA Single Sign-on receives the user identity
information, it locates the user in its own user directory and starts
the federation process with the relying party.

A delegated authentication request takes place at the asserting party
and it can be initiated at the third-party WAM system or at CA Single
Sign-on. An authentication request can initiate at the relying party;
however this scenario is not considered delegated authentication.

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8-03/configuring/partnership-federation/delegated-authentication.html

I hope this helps,

Best Regards,
Patrick
Original Message:
Sent: 04-04-2020 09:36 PM
From: Mark Ma
Subject: SiteMinder Reverse Proxy Server - Federation with OTP

Hi,

We are using SiteMinder Reverse Proxy Server to handle the federation. The Authentication URL is https://hostname/affwebservices/redirectjsp/redirect.jsp
Right now we are trying to add CA SSO Strong Authnetication (Arcot) into federation authentication process.
Under redirectjsp folder, I see there is otp.jsp and arcototp.jsp.
We have CA SSO Strong Authentication (Arcot) to protect our Web Applications.
In my SSO plolicy, I set otp.jsp has that arcot afm authentication scheme and changed federation authentication url to otp.jsp.
It work fine in some federation partnerships (but failed in one partnership). I am not sure that's correct way to set up OTP in the federation.

Do you have any document can help me to understand if I want to set up OTP in the federation process?

Thanks

Mark

Patrick,

Thanks your information. In the federation, The default Authentication URL is https://hostname/affwebservices/redirectjsp/redirect.jsp
in the redirectjsp folder, I saw otp.jsp and arcototp.jsp. To turn on Strong Authentication, I think I probably need to use those jsps but I don't know what's difference with those 2 jsps. I did compare and otp.jsp is same as redirect.jsp but arcototp is difference. I just wondering do you have any document for those jsp files.

Thanks

Mark
Original Message:
Sent: 04-06-2020 02:24 AM
From: Patrick Dussault
Subject: SiteMinder Reverse Proxy Server - Federation with OTP

Hi Mark,

It seems to integrate AA with SiteMinder Federation Partnership, you
need to delegate authentication as per mention :

Configuring CA Single Sign-On Policy Server

To use Advanced Authentication as MFA for CA SSO Federation
partnership, CA SSO delegates the authentication to Advanced
Authentication using the Advanced Authentication Authentication
Scheme. On successful authentication, CA SSO generates the assertion
and redirects the user to the service provider URL.

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/advanced-authentication/9-1/installing/ca-adapter-installation/configuring-ca-single-sign-on-policy-server.html

Delegation can be configured as per SiteMinder documentation :

Delegated Authentication

Delegated authentication

CA Single Sign-on uses a third-party web access management (WAM)
application that CA Single Sign-on does not protect. The third-party
application authenticates any user who requests a protected federated
resource then forwards the federated user identity to CA Single
Sign-on. After CA Single Sign-on receives the user identity
information, it locates the user in its own user directory and starts
the federation process with the relying party.

A delegated authentication request takes place at the asserting party
and it can be initiated at the third-party WAM system or at CA Single
Sign-on. An authentication request can initiate at the relying party;
however this scenario is not considered delegated authentication.

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8-03/configuring/partnership-federation/delegated-authentication.html

I hope this helps,

Best Regards,
Patrick
Original Message:
Sent: 04-04-2020 09:36 PM
From: Mark Ma
Subject: SiteMinder Reverse Proxy Server - Federation with OTP

Hi,

We are using SiteMinder Reverse Proxy Server to handle the federation. The Authentication URL is https://hostname/affwebservices/redirectjsp/redirect.jsp
Right now we are trying to add CA SSO Strong Authnetication (Arcot) into federation authentication process.
Under redirectjsp folder, I see there is otp.jsp and arcototp.jsp.
We have CA SSO Strong Authentication (Arcot) to protect our Web Applications.
In my SSO plolicy, I set otp.jsp has that arcot afm authentication scheme and changed federation authentication url to otp.jsp.
It work fine in some federation partnerships (but failed in one partnership). I am not sure that's correct way to set up OTP in the federation.

Do you have any document can help me to understand if I want to set up OTP in the federation process?

Thanks

Mark