Layer 7 Access Management

Expand all | Collapse all

Identity Suite r14.x IM built-in AD Authentication

  • 1.  Identity Suite r14.x IM built-in AD Authentication

    Posted 03-01-2018 11:34 AM

    Team,

     

    New features are always added to the solution stack, some seem to slide in with minimal awareness.

     

    This is one, that I know customers have asked for, and I am pleased to see that it was introduced in to the r14.0/14.1 releases that does not require any SSO solution integration.

     

     

    Take a look.    Note, that if you have multiple AD (Microsoft Active Directory) domains, you may still wish to introduce CA SSO to allow "directory chaining" for authentication, e.g. use many, many userstores to search or use with CA SSO + AA for step-up authentication to use one-use tokens.

     

     

    ### ###

    Edit:  5/31/2018   update hyper links & attach PDFs   -  If hyperlinks fail in future, use docops.ca.com to search "CA Identity Manager" for active directory authentication module.

     

     

    Manage Active Directory Authentication Module - CA Identity Manager - 14.1 - CA Technologies Documentation 

    Manage Authentication Module Properties - CA Identity Manager - 14.2 - CA Technologies Documentation 

     

     

    Enable the Active Directory Authentication Module

     

    By default, CA Identity Manager comes with an out-of-the-box authentication module. This module authenticates the user against the directory that is configured for their environment. The user can also be authenticated to an external Active Directory using the following procedure. You can also encrypt ADMINPWD and KEYSTOREPWD instead of leaving them as clear text.

     

    Note: The Active Directory endpoint must be provisioned by CA Identity Manager so the Active Directory accounts are synchronized with the CA Identity Manager user store. This procedure also assumes that the administrator is proficient with Active Directory.

     

    Follow these steps:

    1. Locate the following property file:
      <Identity Manager installation location>/iam_im.ear/config/ad_auth_settings.properties
    2. Set the following properties:
      SERVERSADMINDN=<Administrator DN>
      ADMINPWD=<Administrator Password>
      BASEDN=<Base DN>
      KEYSTOREPWD=<Key store password>
      SEARCHFILTER = <Active Directory user search filter>
      SSL = <TRUE or FALSE>
    3. Save the file, and then restart CA Identity Manager Server.
    4. In the Management Console, browse to Environments, <your Identity Manager Environment>, Advanced Settings, User Console.
    5. In the Authentication provider module class name field, enter the following value:

      com.netegrity.webapp.authentication.ad.ActiveDirectoryAuthenticationModule

    6. Click Save.
    #### ####

     

    This architecture allows use of a separate userstore (CA Directory) for access, but then use AD as the authentication store (AN).   This assumes that active users (that will authenticate) are 1:1 between the two (2) userstores.

    -   Recommendation:  Review the pro/cons of userstore design/considerations.

    - How to choose a good corporate user store for the CA IM solution 

    -A.


  • 2.  Re: Identity Suite r14.x IM built-in AD Authentication

    Posted 06-01-2018 06:40 PM

    Alan,

     

    This approach works for a reduced sign-on solution, if the %USER_ID% or %LOGIN _ID% field in the IM User Store maps to the sAMAccountName or userPrincipalName, depending on the IM and AD configurations. Any thoughts on extending the AD Authentication Module to support an IWA session token to implement single sign-on without SiteMinder?

     

    This might be an Ideation topic.

     

    Enrique



  • 3.  Re: Identity Suite r14.x IM built-in AD Authentication

    Posted 06-05-2018 04:10 PM

    Hi Enrique,

     

    I would support that idea!  I am not aware of any method to support the IWA session token but I can see the value of this.

     

     

     

    Side note:  I like the thought of this new session method; as I could see it also supporting an automated (crontab) auto-rolling-restart of the solution J2EE components, useful for debugging or troubleshooting stuck-in-progress challenges:

     

    Examples: 

     

    /opt/CA/wildfly-idm/bin/jboss-cli.sh --connect --user=jboss-admin --password=Password01! --command=":reload"

    /opt/CA/wildfly-idm/bin/jboss-cli.sh --connect --user=jboss-admin --password=Password01! --command=":shutdown(restart=true)"

     

    Useful Wildfly/JBOSS CLI Monitoring Scripts 

     

     

     

    A.