Symantec Access Management

Hi,

We have implemented Siteminder and AA integration where SM does the initial username + Password authentication and then decides if a step up authentication e.g. OTP via Mobile is needed. This works fine. You can define in AA a profile that you have only one authentication method in AA, so that works good in combination with the first login done by Siteminder.

However we currently facing an issue that during OTP mobile enrollment, AA ALWAYS does do a first ldap authentication itself and then the enrollment. In combination with Siteminder it means now that the user needs to do twice a ldap username+password authentication during enrollment: first by Siteminder, secondly by AA.

We would like to skip the AA ldap authentication. How can we achieve that? In the past you could modify AFM jsp files but that seems not possible anymore with the introduction of version 9.x. Can anyone provide me some pointers?

Thanks,
Bert

I had this use case recently where I wanted primary authentication to be done solely in SiteMinder, and have been meaning to write it up so it can be properly documented. In the meantime, here's the details of how I was able to do this (in this case, using the simple login.fcc forms based Auth in SiteMinder for my primary authentication):

There are two files to modify (note you will need to modify these again every time you run through the AFM Wizard):

arcotafm.properties
Find the AFM flow you want to modify
Change the following lines:

#Flow sequence
smflow.FlowSequence=Risk
smflow.isPrimaryAuthOptionRequired=false

adaptershim.ini
Find the AFM flow you want to modify
Change the following lines:

AuthSchemeLib=smauthhtml  #Specify the library of the SiteMinder auth scheme of your primary auth method here
AuthSchemeParam=http://aa90.demo.demodomain.ca/siteminderagent/forms/login.fcc;ACS=0;REL=0 #Specify the parameter of the SiteMinder auth scheme of your primary auth here 

#----------------------------------------------------------------------------
UseCustomizationEngineAuth=true
InitialPhasePrimaryAuth=false
InitialFCCURLhttp://aa90.demo.demodomain.ca/siteminderagent/forms/login.fcc #Specify the FCC of the SiteMinder auth scheme of your primary auth here


Good luck and please let me know if it works so I can validate the instrucitons.

Thanks,
Mike

​​

------------------------------
Mike Berthold
Solution Architect
------------------------------

Original Message:
Sent: 11-19-2019 01:33 PM
From: Bert de Roos
Subject: Howto skip AA Ldap authentication during OTP mobile enrollment

Hi,

We have implemented Siteminder and AA integration where SM does the initial username + Password authentication and then decides if a step up authentication e.g. OTP via Mobile is needed. This works fine. You can define in AA a profile that you have only one authentication method in AA, so that works good in combination with the first login done by Siteminder.

However we currently facing an issue that during OTP mobile enrollment, AA ALWAYS does do a first ldap authentication itself and then the enrollment. In combination with Siteminder it means now that the user needs to do twice a ldap username+password authentication during enrollment: first by Siteminder, secondly by AA.

We would like to skip the AA ldap authentication. How can we achieve that? In the past you could modify AFM jsp files but that seems not possible anymore with the introduction of version 9.x. Can anyone provide me some pointers?

Thanks,
Bert

Thanks Mike,

I've made the changes as you suggested and I noticed that it indeed skips the second AA ldap authentication (after having the first one done bu SM) but it complains about "invalid credentials, please retry" when proceeding.

I guess that something is wrong with the AuthSchemeParam or maybe the authescheme lib. (the solution is running on Redhat)

arcotafm.properties
#otpmobile.FlowSequence=AOTP_MOBILEAPP
otpmobile.FlowSequence=Risk
otpmobile.isPrimaryAuthOptionRequired=false
otpmobile.PrimaryAuthenticationOptions=


Adaptershim.ini
DisambigSchemeLib=
DisambigSchemeParam=
AuthSchemeLib=smauthhtml
AuthSchemeParam=https://<domain>:18443/siteminderagent/forms/shim2fcc;ACS=0;REL=0

ArcotSMBaseURL=http://<servername>:7080/arcotsm/servlet
ArcotSMRetries=0
ArcotSMResponseWait=5
ArcotSMTrustedRootPEM=ARCOT_HOME/adapterSiteMinder/certs/rootcacert.pem
ArcotSMClientSSLCert=ARCOT_HOME/adapterSiteMinder/certs/tsclientcert.pem
ArcotSMClientPrivateKey=ARCOT_HOME/adapterSiteMinder/certs/tsclientkey.pem

ArcotAFMLandingURL=https://<servername>:7443/arcotafm/master.jsp?profile=otpmobile

#----------------------------------------------------------------------------
UseCustomizationEngineAuth=true
InitialPhasePrimaryAuth=false
ErrorPageURL=https://<domain>:18443//siteminderagent/forms/shimerror.fcc
InitialFCCURL=https://<domain>:18443//siteminderagent/forms/shim2.fcc
FinalFCCURL=https://<domain>:18443//siteminderagent/forms/shimfinal.fcc

I will look into it. To be sure: if you change the FlowSequence to Risk the enrollment is exactly the same except it skips the AA Ldap authentication?
Do you know btw know what the UseCustomizationEngineAuth-true means?

Thanks for your help
 Regards,
Bert


Original Message:
Sent: 11-19-2019 01:54 PM
From: Mike Berthold
Subject: Howto skip AA Ldap authentication during OTP mobile enrollment

I had this use case recently where I wanted primary authentication to be done solely in SiteMinder, and have been meaning to write it up so it can be properly documented. In the meantime, here's the details of how I was able to do this (in this case, using the simple login.fcc forms based Auth in SiteMinder for my primary authentication):

There are two files to modify (note you will need to modify these again every time you run through the AFM Wizard):

arcotafm.properties
Find the AFM flow you want to modify
Change the following lines:

#Flow sequence
smflow.FlowSequence=Risk
smflow.isPrimaryAuthOptionRequired=false

adaptershim.ini
Find the AFM flow you want to modify
Change the following lines:

AuthSchemeLib=smauthhtml  #Specify the library of the SiteMinder auth scheme of your primary auth method here
AuthSchemeParam=http://aa90.demo.demodomain.ca/siteminderagent/forms/login.fcc;ACS=0;REL=0 #Specify the parameter of the SiteMinder auth scheme of your primary auth here

#----------------------------------------------------------------------------
UseCustomizationEngineAuth=true
InitialPhasePrimaryAuth=false
InitialFCCURLhttp://aa90.demo.demodomain.ca/siteminderagent/forms/login.fcc #Specify the FCC of the SiteMinder auth scheme of your primary auth here


Good luck and please let me know if it works so I can validate the instrucitons.

Thanks,
Mike

​​

------------------------------
Mike Berthold
Solution Architect

Original Message:
Sent: 11-19-2019 01:33 PM
From: Bert de Roos
Subject: Howto skip AA Ldap authentication during OTP mobile enrollment

Hi,

We have implemented Siteminder and AA integration where SM does the initial username + Password authentication and then decides if a step up authentication e.g. OTP via Mobile is needed. This works fine. You can define in AA a profile that you have only one authentication method in AA, so that works good in combination with the first login done by Siteminder.

However we currently facing an issue that during OTP mobile enrollment, AA ALWAYS does do a first ldap authentication itself and then the enrollment. In combination with Siteminder it means now that the user needs to do twice a ldap username+password authentication during enrollment: first by Siteminder, secondly by AA.

We would like to skip the AA ldap authentication. How can we achieve that? In the past you could modify AFM jsp files but that seems not possible anymore with the introduction of version 9.x. Can anyone provide me some pointers?

Thanks,
Bert

Hi Bert,

For UseCustomizationEngineAuth, the docs say "Specify whether Adapter authenticates. Default value: false", so I tried to set it to true to specify that we're not using the Adapter to authenticate.

As for the enrollment behaviour, it was as expected, though my testing was non-mapped users so it was doing user creation during enrollment and prompting for phone number and email. I'd expect if your org is mapped to an LDAP it would have these pre-populated unless they were not defined in the LDAP itself.

The logs should give you more clarity why you're hitting invalid credentials after primary authentication - maybe try with a brand new user to ensure it's not something related to an existing user causing the issue?

Thanks,
Mike

------------------------------
Mike Berthold
Solution Architect
------------------------------

Original Message:
Sent: 11-19-2019 03:11 PM
From: Bert de Roos
Subject: Howto skip AA Ldap authentication during OTP mobile enrollment

Thanks Mike,

I've made the changes as you suggested and I noticed that it indeed skips the second AA ldap authentication (after having the first one done bu SM) but it complains about "invalid credentials, please retry" when proceeding.

I guess that something is wrong with the AuthSchemeParam or maybe the authescheme lib. (the solution is running on Redhat)

arcotafm.properties
#otpmobile.FlowSequence=AOTP_MOBILEAPP
otpmobile.FlowSequence=Risk
otpmobile.isPrimaryAuthOptionRequired=false
otpmobile.PrimaryAuthenticationOptions=


Adaptershim.ini
DisambigSchemeLib=
DisambigSchemeParam=
AuthSchemeLib=smauthhtml
AuthSchemeParam=https://<domain>:18443/siteminderagent/forms/shim2fcc;ACS=0;REL=0

ArcotSMBaseURL=http://<servername>:7080/arcotsm/servlet
ArcotSMRetries=0
ArcotSMResponseWait=5
ArcotSMTrustedRootPEM=ARCOT_HOME/adapterSiteMinder/certs/rootcacert.pem
ArcotSMClientSSLCert=ARCOT_HOME/adapterSiteMinder/certs/tsclientcert.pem
ArcotSMClientPrivateKey=ARCOT_HOME/adapterSiteMinder/certs/tsclientkey.pem

ArcotAFMLandingURL=https://<servername>:7443/arcotafm/master.jsp?profile=otpmobile

#----------------------------------------------------------------------------
UseCustomizationEngineAuth=true
InitialPhasePrimaryAuth=false
ErrorPageURL=https://<domain>:18443//siteminderagent/forms/shimerror.fcc
InitialFCCURL=https://<domain>:18443//siteminderagent/forms/shim2.fcc
FinalFCCURL=https://<domain>:18443//siteminderagent/forms/shimfinal.fcc

I will look into it. To be sure: if you change the FlowSequence to Risk the enrollment is exactly the same except it skips the AA Ldap authentication?
Do you know btw know what the UseCustomizationEngineAuth-true means?

Thanks for your help
 Regards,
Bert


Original Message:
Sent: 11-19-2019 01:54 PM
From: Mike Berthold
Subject: Howto skip AA Ldap authentication during OTP mobile enrollment

I had this use case recently where I wanted primary authentication to be done solely in SiteMinder, and have been meaning to write it up so it can be properly documented. In the meantime, here's the details of how I was able to do this (in this case, using the simple login.fcc forms based Auth in SiteMinder for my primary authentication):

There are two files to modify (note you will need to modify these again every time you run through the AFM Wizard):

arcotafm.properties
Find the AFM flow you want to modify
Change the following lines:

#Flow sequence
smflow.FlowSequence=Risk
smflow.isPrimaryAuthOptionRequired=false

adaptershim.ini
Find the AFM flow you want to modify
Change the following lines:

AuthSchemeLib=smauthhtml  #Specify the library of the SiteMinder auth scheme of your primary auth method here
AuthSchemeParam=http://aa90.demo.demodomain.ca/siteminderagent/forms/login.fcc;ACS=0;REL=0 #Specify the parameter of the SiteMinder auth scheme of your primary auth here

#----------------------------------------------------------------------------
UseCustomizationEngineAuth=true
InitialPhasePrimaryAuth=false
InitialFCCURLhttp://aa90.demo.demodomain.ca/siteminderagent/forms/login.fcc #Specify the FCC of the SiteMinder auth scheme of your primary auth here


Good luck and please let me know if it works so I can validate the instrucitons.

Thanks,
Mike

​​

------------------------------
Mike Berthold
Solution Architect

Original Message:
Sent: 11-19-2019 01:33 PM
From: Bert de Roos
Subject: Howto skip AA Ldap authentication during OTP mobile enrollment

Hi,

We have implemented Siteminder and AA integration where SM does the initial username + Password authentication and then decides if a step up authentication e.g. OTP via Mobile is needed. This works fine. You can define in AA a profile that you have only one authentication method in AA, so that works good in combination with the first login done by Siteminder.

However we currently facing an issue that during OTP mobile enrollment, AA ALWAYS does do a first ldap authentication itself and then the enrollment. In combination with Siteminder it means now that the user needs to do twice a ldap username+password authentication during enrollment: first by Siteminder, secondly by AA.

We would like to skip the AA ldap authentication. How can we achieve that? In the past you could modify AFM jsp files but that seems not possible anymore with the introduction of version 9.x. Can anyone provide me some pointers?

Thanks,
Bert