Thanks Mike,
I've made the changes as you suggested and I noticed that it indeed skips the second AA ldap authentication (after having the first one done bu SM) but it complains about "invalid credentials, please retry" when proceeding.
I guess that something is wrong with the AuthSchemeParam or maybe the authescheme lib. (the solution is running on Redhat)
arcotafm.properties
#otpmobile.FlowSequence=AOTP_MOBILEAPP
otpmobile.FlowSequence=Risk
otpmobile.isPrimaryAuthOptionRequired=false
otpmobile.PrimaryAuthenticationOptions=
Adaptershim.ini
DisambigSchemeLib=
DisambigSchemeParam=
AuthSchemeLib=smauthhtml
AuthSchemeParam=https://<domain>:18443/siteminderagent/forms/shim2fcc;ACS=0;REL=0
ArcotSMBaseURL=http://<servername>:7080/arcotsm/servlet
ArcotSMRetries=0
ArcotSMResponseWait=5
ArcotSMTrustedRootPEM=ARCOT_HOME/adapterSiteMinder/certs/rootcacert.pem
ArcotSMClientSSLCert=ARCOT_HOME/adapterSiteMinder/certs/tsclientcert.pem
ArcotSMClientPrivateKey=ARCOT_HOME/adapterSiteMinder/certs/tsclientkey.pem
ArcotAFMLandingURL=https://<servername>:7443/arcotafm/master.jsp?profile=otpmobile
#----------------------------------------------------------------------------
UseCustomizationEngineAuth=true
InitialPhasePrimaryAuth=false
ErrorPageURL=https://<domain>:18443//siteminderagent/forms/shimerror.fcc
InitialFCCURL=https://<domain>:18443//siteminderagent/forms/shim2.fcc
FinalFCCURL=https://<domain>:18443//siteminderagent/forms/shimfinal.fcc
I will look into it. To be sure: if you change the FlowSequence to Risk the enrollment is exactly the same except it skips the AA Ldap authentication?
Do you know btw know what the UseCustomizationEngineAuth-true means?
Thanks for your help
Regards,
Bert
Original Message:
Sent: 11-19-2019 01:54 PM
From: Mike Berthold
Subject: Howto skip AA Ldap authentication during OTP mobile enrollment
I had this use case recently where I wanted primary authentication to be done solely in SiteMinder, and have been meaning to write it up so it can be properly documented. In the meantime, here's the details of how I was able to do this (in this case, using the simple login.fcc forms based Auth in SiteMinder for my primary authentication):
There are two files to modify (note you will need to modify these again every time you run through the AFM Wizard):
arcotafm.properties
Find the AFM flow you want to modify
Change the following lines:
#Flow sequence
smflow.FlowSequence=Risk
smflow.isPrimaryAuthOptionRequired=false
adaptershim.ini
Find the AFM flow you want to modify
Change the following lines:
AuthSchemeLib=smauthhtml #Specify the library of the SiteMinder auth scheme of your primary auth method here
AuthSchemeParam=http://aa90.demo.demodomain.ca/siteminderagent/forms/login.fcc;ACS=0;REL=0 #Specify the parameter of the SiteMinder auth scheme of your primary auth here
#----------------------------------------------------------------------------
UseCustomizationEngineAuth=true
InitialPhasePrimaryAuth=false
InitialFCCURLhttp://aa90.demo.demodomain.ca/siteminderagent/forms/login.fcc #Specify the FCC of the SiteMinder auth scheme of your primary auth here
Good luck and please let me know if it works so I can validate the instrucitons.
Thanks,
Mike
------------------------------
Mike Berthold
Solution Architect
Original Message:
Sent: 11-19-2019 01:33 PM
From: Bert de Roos
Subject: Howto skip AA Ldap authentication during OTP mobile enrollment
Hi,
We have implemented Siteminder and AA integration where SM does the initial username + Password authentication and then decides if a step up authentication e.g. OTP via Mobile is needed. This works fine. You can define in AA a profile that you have only one authentication method in AA, so that works good in combination with the first login done by Siteminder.
However we currently facing an issue that during OTP mobile enrollment, AA ALWAYS does do a first ldap authentication itself and then the enrollment. In combination with Siteminder it means now that the user needs to do twice a ldap username+password authentication during enrollment: first by Siteminder, secondly by AA.
We would like to skip the AA ldap authentication. How can we achieve that? In the past you could modify AFM jsp files but that seems not possible anymore with the introduction of version 9.x. Can anyone provide me some pointers?
Thanks,
Bert