Kristen Malzone (CA) :
Please ReTweet to invite others to join: https://twitter.com/CA_Community/status/710481515357016064
Anand Rao :
- Hi...I joined late...is the meeting still on?
Herb Mehlhorn :
hi Anand, there are a number of folks CA on ...do you have a question?
Anand Rao :
I wanted to ask if CA Single Sign On r12.52 SP2 supports IDP Proxy implementation and/or IDP Selection.....for example for a particular federated application where I am the IDP, I want to give the user option to use their Active Directory Credentials or CA Directory credentials....is this possible today?
Herb Mehlhorn :
hi Anand, the "proxy" part of your qeustions is not 100% clear to us
Herb Mehlhorn :
WIth SSO as IDP you can configure SSO to validate a user credentail against a repository
Herb Mehlhorn :
that repository could e AD or could be CA Directory
Anand Rao :
Suppose I am the IDP, an SP forwards an authentication request to me...I would want to forward that to a third IDP which will authenticate the user and I'd relay the response back to the SP acting as a proxy...is that possible?
Herb Mehlhorn :
Anand, are you looking at this for a gov't spec (e.g. Connect.gov)?
Herb Mehlhorn :
or are you not in gov't vertical?
Anand Rao :
not in the government vertical....
Herb Mehlhorn :
- ok...the scenario you described is similar to some work we are doing as an SP for connect.gov
Anand Rao :
Other SSO products offer this, but I could not find it in the SSO Documentation...for example ...this is OpenAM...slide 8 is what I'm trying to explain
Anand Rao :
http://www.slideshare.net/ForgeRock/idpproxy
Herb Mehlhorn :
hang on...some checking going on in background
Rob Lindberg (CA) :
@Anand, we have a flow where we can provide an selection of identity providers, which we describe as a 'credential selector page'. See this section of the doc https://docops.ca.com/ca-single-sign-on/12-52-sp2/en/configuring/partnership-federation/configure-social-sign-on
Anand Rao :
- yes..but that allows for only Facebook, linkedin etc correct? Can this be used even for custom IDPs?
Rob Lindberg (CA) :
@Anand, it works for IDPs that support SAML, WS-Fed, or Oauth. it's not limited to Facebook, Linkedin
Anand Rao :
okay thank you.
Anand Rao :
if we have time, I'd like to ask one more question..very closely related to the previous one
Herb Mehlhorn :
sure
Kristen Malzone (CA) :
4 minutes left! Get your final question in now!
Anand Rao :
the documentation says that to use delegated authentication, it has to be a third party WAM product....can I use delegated authentication (in the partnership) to forward to a CA SSO protected page?
Herb Mehlhorn :
@Anand, I don't think we thought about that use case...what would make you want to do that.
Anand Rao :
want to use a login.aspx page instead of an fcc to collect credentials
Anand Rao :
some complex branfding requirements that would need some server side scripting to display the appropriate logo to the user
Anand Rao :
several hundred logos to choose ...so it would be too heavy and impractical to customize the fcc to handle this...hence was wondering if I can delegate the authentication to another page that'd submit to the fcc or call the rest web service for authentication
Herb Mehlhorn :
@Anand,...the docs may say that for SSO acting as Idp that teh example is fcc, but does not have to be. Team here believes you can use as login.aspx as the base auth scheme
Anand Rao :
thanks! okay...so after authentication, what URL would the login.aspx redirect the user to so that the SAML flow can be resumed?
Rob Lindberg (CA) :
@Anand, in the partnership you specify the Auth URL (redirect.jsp) and then you protect that page with an SSO authentication scheme (which can be custom). the SSO agent handles the redirects and gets the user back to the SAML flow
Anand Rao :
okay thanks! custom auth scheme is the answer then...thanks a lot!
Anand Rao :
sorry for taking more time than allotted
Herb Mehlhorn :
thanks for taking the time today to join us Anand...have a good day.