Idea Details

Multi authentication schemes on a realm (or within a scheme)

Last activity 11 days ago
Patrick Bowe's profile image
04-09-2015 02:54 PM

PCI 3.0 requirements include Multi-Factor Authentication for PCI applications.  Although we have two factor authentication schemes (HTML Forms/SecureID), there does not appear to be a way to protect an application with more then one authentication scheme or to merge the two authentication schemes.  I found some awkward workarounds, like creating a separate URL and protecting it with one scheme, then redirecting to the original URL, but it seems there should be a better way so we don't have to make changes to the application URLs.  We have other (non-Siteminder) applications that use a single form to prompt for username/password/passcode and validate the username/password against a user store and the passcode against our SecurId Auth application.


Comments

10-24-2017 09:44 AM

This issue is sometimes referred to as StepUp Authentication. This requires a 2nd authentication method for certain resources. There is a solution available for this issue, "StepUp Authentication Integration for CA Single Sign-On (SmStepUpAuth)". This is available through CA's professional services group, Global Delivery. If you reach out to your CA Sales representative, they can setup a call with Global Delivery to review your specific needs. 

https://www.ca.com/content/dam/ca/us/files/service-offering/stepup-authentication-integration-for-ca-single-sign-on-over… 

PS: RSA SecurID is a two factor authentication on its' own, without combining with HTML Forms Authentication. The two factors are: first the PIN and second the Tockencode. This is also referred to as something you know (PIN) and something you possess (SecurID token). You may not need StepUp to meet your requirements of Multi-Factor Authentication; you could just setup SecurID Authentication within CA-SSO.

10-26-2015 02:42 AM

Thank you for your contribution of an enhancement idea to the CA Community. CA is continually working to improve its software and services to best meet the needs of its customers. Your input is vital to that effort. The CA Single Sign-On Product Management team has reviewed your enhancement suggestion and decided to maintain the idea for possible consideration in a future release. The Community will continue to be able to vote on this enhancement idea.

04-23-2015 03:55 PM

SDK is not necessarily needed to implement this.  We don't use the SDK to implement our solution.

04-23-2015 01:37 PM

Yes, SiteMinder SDK is supported, so essentially if you see any issues in SiteMinder SDK behaviour; that will be fixed.

Custom auth can be written using SiteMinder SDK.

04-22-2015 09:08 AM

While it is custom, as long as you continue to use core SSO functionality, CA Support should still be able to assist.

04-21-2015 10:59 AM

Thanks Mike, I'll try that, but is that then considered a custom auth scheme (unsupported)?

04-21-2015 10:40 AM

This can be done today, but requires some custom coding.

 

The basics are, code the .fcc to redirect to a realm which is protected by the auth scheme desired, then redirect back to the original target after the authentication is completed.

04-21-2015 08:34 AM

Thank you for your contribution of an enhancement idea to the CA Community. CA is continually working to improve its software and services to best meet the needs of its customers.  Your input is vital to that effort.  The CA Single Sign-On Product Management team is reviewing your enhancement suggestion.  The Community will continue to be able to vote on this enhancement idea.