Layer 7 Access Management

Expand all | Collapse all

CA SSO Step-up Authentication

Jump to Best Answer
  • 1.  CA SSO Step-up Authentication

     
    Posted 07-07-2016 06:02 AM

    Hi, one of my customer would like to protect web access to their applications with the following scenario:

    - accessing all applications requires LDAP password (basic authentication)

    - only for one of the applications (e.g. application X) both LDAP and ArcotID password are required

    - in case the user has been already authenticated with the LDAP password, when hitting the application X only ArcotID password is required

    Searching internally, i found that this scenario is sometimes described as Step-up Authentication, sometimes as "Login Sequence", and sometimes confused with the concept of protection level associated with different authentication schema.

    Can someone provide updated info regarding this scenario, and clarify if is it still provided as a package (i guess developed from GD) ?   

    Thank you



  • 2.  Re: CA SSO Step-up Authentication

    Posted 07-07-2016 06:51 AM

    Hello,

    You could check the global solution module Authentication Using Login Sequence for CA Single Sign-On.

     

    You can find some documentation at the following location:

    https://support.ca.com/phpdocs/7/5262/SmLoginSequenceAuthuthInstallConfig.pdf

     

    It is quite aging now and only exists for Solaris system.

     

    You can check with the advanced authentication team and use the out of the box confidence level define on realm:

     

    https://docops.ca.com/ca-single-sign-on-12-52-sp1/en/configuring/policy-server-configuration/realms/configure-a-realm

     

    Hope it helps,

    Julien.



  • 3.  Re: CA SSO Step-up Authentication
    Best Answer

    Posted 07-08-2016 09:51 AM

    Claudio

     

    Have we investigated this option of using CA SSO OOB Sensitive Tasks feature. Using this feature an already logged in user can be rechallenged at the same protection level. Thus I think you can send the user to desired login page using the redirect response and by enabling this feature.

     

    How to Require Re-authentication for Sensitive Resources - CA Single Sign-On - 12.52 SP2 - CA Technologies Documentation

     

    Regards

     

    Hubert