Symantec Access Management

Expand all | Collapse all

Howto skip AA Ldap authentication during OTP mobile enrollment

Jump to Best Answer
  • 1.  Howto skip AA Ldap authentication during OTP mobile enrollment

    Posted 25 days ago
    Hi,

    We have implemented Siteminder and AA integration where SM does the initial username + Password authentication and then decides if a step up authentication e.g. OTP via Mobile is needed. This works fine. You can define in AA a profile that you have only one authentication method in AA, so that works good in combination with the first login done by Siteminder.

    However we currently facing an issue that during OTP mobile enrollment, AA ALWAYS does do a first ldap authentication itself and then the enrollment. In combination with Siteminder it means now that the user needs to do twice a ldap username+password authentication during enrollment: first by Siteminder, secondly by AA.

    We would like to skip the AA ldap authentication. How can we achieve that? In the past you could modify AFM jsp files but that seems not possible anymore with the introduction of version 9.x. Can anyone provide me some pointers?

    Thanks,
    Bert


  • 2.  RE: Howto skip AA Ldap authentication during OTP mobile enrollment

    Posted 25 days ago
    Edited by Mike Berthold 25 days ago
    I had this use case recently where I wanted primary authentication to be done solely in SiteMinder, and have been meaning to write it up so it can be properly documented. In the meantime, here's the details of how I was able to do this (in this case, using the simple login.fcc forms based Auth in SiteMinder for my primary authentication):

    There are two files to modify (note you will need to modify these again every time you run through the AFM Wizard):

    arcotafm.properties
    Find the AFM flow you want to modify
    Change the following lines:

    #Flow sequence
    smflow.FlowSequence=Risk
    smflow.isPrimaryAuthOptionRequired=false

    adaptershim.ini
    Find the AFM flow you want to modify
    Change the following lines:

    AuthSchemeLib=smauthhtml  #Specify the library of the SiteMinder auth scheme of your primary auth method here
    AuthSchemeParam=http://aa90.demo.demodomain.ca/siteminderagent/forms/login.fcc;ACS=0;REL=0 #Specify the parameter of the SiteMinder auth scheme of your primary auth here

    #----------------------------------------------------------------------------
    UseCustomizationEngineAuth=true
    InitialPhasePrimaryAuth=false
    InitialFCCURLhttp://aa90.demo.demodomain.ca/siteminderagent/forms/login.fcc #Specify the FCC of the SiteMinder auth scheme of your primary auth here


    Good luck and please let me know if it works so I can validate the instrucitons.

    Thanks,
    Mike

    ​​

    ------------------------------
    Mike Berthold
    Solution Architect
    ------------------------------



  • 3.  RE: Howto skip AA Ldap authentication during OTP mobile enrollment

    Posted 25 days ago
    Thanks Mike,

    I've made the changes as you suggested and I noticed that it indeed skips the second AA ldap authentication (after having the first one done bu SM) but it complains about "invalid credentials, please retry" when proceeding.

    I guess that something is wrong with the AuthSchemeParam or maybe the authescheme lib. (the solution is running on Redhat)

    arcotafm.properties
    #otpmobile.FlowSequence=AOTP_MOBILEAPP
    otpmobile.FlowSequence=Risk
    otpmobile.isPrimaryAuthOptionRequired=false
    otpmobile.PrimaryAuthenticationOptions=


    Adaptershim.ini
    DisambigSchemeLib=
    DisambigSchemeParam=
    AuthSchemeLib=smauthhtml
    AuthSchemeParam=https://<domain>:18443/siteminderagent/forms/shim2fcc;ACS=0;REL=0

    ArcotSMBaseURL=http://<servername>:7080/arcotsm/servlet
    ArcotSMRetries=0
    ArcotSMResponseWait=5
    ArcotSMTrustedRootPEM=ARCOT_HOME/adapterSiteMinder/certs/rootcacert.pem
    ArcotSMClientSSLCert=ARCOT_HOME/adapterSiteMinder/certs/tsclientcert.pem
    ArcotSMClientPrivateKey=ARCOT_HOME/adapterSiteMinder/certs/tsclientkey.pem

    ArcotAFMLandingURL=https://<servername>:7443/arcotafm/master.jsp?profile=otpmobile

    #----------------------------------------------------------------------------
    UseCustomizationEngineAuth=true
    InitialPhasePrimaryAuth=false
    ErrorPageURL=https://<domain>:18443//siteminderagent/forms/shimerror.fcc
    InitialFCCURL=https://<domain>:18443//siteminderagent/forms/shim2.fcc
    FinalFCCURL=https://<domain>:18443//siteminderagent/forms/shimfinal.fcc

    I will look into it. To be sure: if you change the FlowSequence to Risk the enrollment is exactly the same except it skips the AA Ldap authentication?
    Do you know btw know what the UseCustomizationEngineAuth-true means?

    Thanks for your help
     Regards,
    Bert




  • 4.  RE: Howto skip AA Ldap authentication during OTP mobile enrollment
    Best Answer

    Posted 25 days ago
    Hi Bert,

    For UseCustomizationEngineAuth, the docs say "Specify whether Adapter authenticates. Default value: false", so I tried to set it to true to specify that we're not using the Adapter to authenticate.

    As for the enrollment behaviour, it was as expected, though my testing was non-mapped users so it was doing user creation during enrollment and prompting for phone number and email. I'd expect if your org is mapped to an LDAP it would have these pre-populated unless they were not defined in the LDAP itself.

    The logs should give you more clarity why you're hitting invalid credentials after primary authentication - maybe try with a brand new user to ensure it's not something related to an existing user causing the issue?

    Thanks,
    Mike

    ------------------------------
    Mike Berthold
    Solution Architect
    ------------------------------