Idea Details

No Risk Authentication with Valid SMSESSION

Last activity 06-03-2019 08:16 PM
Prakhar Sood's profile image
08-18-2016 12:41 PM


Hi Team,

 

When user comes with a valid SMSESSION, RiskEvaluation is never triggered

 

On working on the integration of CA Siteminder and CA Risk Authentication, we noticed that if a user moves from an Application A which is Siteminder protected to Application B which is using Custom Auth Scheme (Initiating Risk Evaluation), the User Risk is never evaluated as the Custom Auth Scheme for application B is not triggered.

 

The only workaround to this is to increase the Siteminder Auth Levels, which is not a great way to achieve this as it loses end user experience and makes user to enter his id/password again.

 

We just want his Secondary Authentication to be triggered if its set for a specific application.

 

There are 2 Use-Cases to this scenario which are failing:

UC-1:

Application A (Siteminder Basic Auth Scheme)

Application B (Custom Auth Scheme - Riskminder Profile)

 

If User logs in to A and moves to B, RiskEvaluation is not triggered

 

UC-2:

Application A (Custom Auth Scheme - Riskminder Profile -1)

Application B (Custom Auth Scheme - Riskminder Profile - 2)

 

If User logs in to A and moves to B, RiskEvaluation ruleset for Profile -2 is never triggered.

 

This looks to be serious issue and needs to be addressed in the future releases.

 

 

 

Regards,

Prakhar


Comments

01-21-2019 04:13 PM

Thank you for your contribution of an enhancement idea to the CA Community. CA is continually working to improve its software and services to best meet the needs of its customers. Your input is vital to that effort. The CA Single Sign-On Product Management team has reviewed your suggested enhancement. Based on current roadmap priorities and/or the limited amount of community support for this idea over the last year (please see this document describing how we are reviewing ideas: https://communities.ca.com/docs/DOC-231170123), we are not accepting this idea into the product backlog. Therefore, it is being moved to a “Not Planned” status.  

11-15-2016 01:13 AM

Thank you for your contribution of an enhancement idea to the CA Community. CA is continually working to improve its software and services to best meet the needs of its customers. Your input is vital to that effort. The CA Single Sign-On Product Management team is reviewing your enhancement suggestion. The Community will continue to be able to vote on this enhancement idea.

09-21-2016 12:34 PM

Thanks Robert for adding an additional use-case to this Enhancement.

09-21-2016 12:33 PM

You got it right Josh..

09-17-2016 07:27 AM

I voted for this one, but would like to expand this slightly.  In my mind the issue is that the risk analysis needs to be handled like a two-step authentication process.  Step 1 is used to perform the primary authentication of the user via whatever mechanism you want (basic, federation token, 2FA credential, etc.), and Step 2 is to perform risk analysis. 

 

So, in the example above, when the user moves from App A to App B, the first step in the authentication process will look for existing session.  If found, it does the normal checks - is the session still valid, was the user authenticated at right protection level, etc.  Assuming these checks are OK, then we move to second step in process, which is to perform the risk analysis.  Ideally, the step 2 risk check should be an option that could be added to ANY authentication scheme that an admin could pick from the pull down menu, including users federating in using SAML or OAuth tokens. 

 

This makes me wonder if the risk analysis should not be an authentication scheme, but perhaps an active rule, response, or policy. Then you could actually associate risk with all users or just specific users, roles, or groups for an application.

08-22-2016 06:53 AM

Prakhar, thank you for catching this!

 

and does the lack of CA logo mean that this is a different Prakhar Sood, or did they lose the guy with the best PMF key ever?