Skip navigation
All Places > CA Security > CA Single Sign-On > Blog > 2017 > April
2017

Now that I’ve provided an overview of a non-policy-based SSO in my previous two posts (links below), let’s talk about designing the solution. As with any software deployment, enterprises need to make numerous design decisions with an #SSO architecture and consider the benefits and tradeoffs of each decision. Paramount to making wise decisions is that the underlying technical design, security and DevOps meet your business objectives. For successful digital transformation tied to an SSO-enabled IApp, I put design decisions into three categories:

 

User Experience: A great user experience is key to digital transformation. Depending on the business and type of IApp, the user’s login process could be interactive (the user enters credentials), non-interactive (the user’s computer’s credentials are applied behind the scenes) or transitive (access to one application gives access to other applications). The benefit is a login process that is greatly simplified by integrating an identity management solution such as CA Identity Manager (CA IDM) with the IApp and CA SSO. Such integration also allows a common password service for all IApps. To ensure a good user experience (not to mention increase productivity and reduce operating costs), Identity Management, SSO and the password service must always be integrated.

 

Release Management: You want to ensure that the IApp release sprint is as independent of SSO infrastructure changes (components and policies) as possible while meeting required security and other business demands. That’s easily done by extending the IApp package to include the required SSO-enabling libraries such as CA SSO SDK. The benefit is that IApp code is SSO-ready and release sprints (#Agile) are independent of agent deployments and SSO policies, enabling IApp scalability without dependence on agent scalability.

 

Security: Focusing on session security, if no valid SSO token is available, there must be a login action (interactive or non-interactive) to generate a valid application session and access private areas. For public areas, the application session is upgraded to a private area application session when a valid SSO token is available, enhancing the user experience and personalization. In the design we must consider mitigating against security attacks such as session replays, cookie forging, velocity attacks, cache poisoning, SQL injection, etc. And by the way, a good and complete logoff, referred to as single logout (SLO), is equally important.

 

Another benefit of the non-policy-based model is that it forces us to be more vigilant about session security—to close the loop and adjust application code for security. We must know the IApp’s native security and the underlying application server’s security framework. In a non-policy-based SSO model:

  • A light session filter can be written to validate SSO tokens.
  • Application login modules can be updated for calling SSO to obtain SSO tokens.
  • Application server properties can be configured to generate a valid user session contingent on the presence of a valid SSO token.

 

Developing and implementing the above with CA SSO is even easier, since CA SSO SDK, CA SSO Application Server Agent and CA SSO Session Linker can be combined to tighten security. Implementing a session store and integrating CA SSO with CA Advanced Authentication can help mitigate session replay and velocity attacks. Using CA’s #Veracode suite of products, you can scan your IApp code to identify code issues that may otherwise expose you to cache poisoning and SQL injection attacks.

 

A tradeoff: The first time an IT organization moves to a non-policy-based model, it’s a challenge to adopt it, because the model involves teams beyond the IT organization’s local control. Organizations need to make a conscious commitment to the change, and they need to work with developers they may not have worked with before. To be successful, non-policy-driven SSO requires code-level customization for the IApps, which is not very complex. Once you do it the first time, you have a method and a framework unique to your organization, and you can replicate it for 90% of your apps. The most difficult part of the journey is getting over the first speed bump; after that, it’s a much smoother ride.

 

But even with that tradeoff, given the focus on #SecDevOps and the need for organizations worldwide to take ownership of internal cyber security, a non-policy-based SSO model provides a more flexible, agile, secure and scalable approach for enabling digital transformation.

 

Post #1: Getting Back to Basics with Single Sign On 

Post #2: A Primer on Non-Policy Based SSO 

Hello CA Single Sign-On Community Users,

 

Please find below the list of the latest Knowledge Base Articles  for Single Sign-On (Formerly CA SiteMinder)published or updated since 8th February 2017 for your reference:

 

How to migrate selected policy domain(s) from one policy store to another
Steps to export and import domain and its references selectively from one policy store to another
Last Update: 2017-04-05    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1913757

smobjimport creates “siteminder ” on migrating policy data
This article explains a note on smobjimport utility creating a duplicated siteminder super user admin.
Last Update: 2017-04-03    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1128435

Introduction to SMUSRMSG Cookie
scenarios when smusrmsg cookie is created
Last Update: 2017-04-03    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1603435

Unable to create SiteMinder LDAP schema
Error of smldapsetup utility or Policy Server installation
Last Update: 2017-04-03    Size: 82 kb    Type: Knowledge Base Articles    ID: TEC1961374

Can wildcards be used in User DN Lookup field of IWA auth scheme?
wildcards in the User DN Lookup of the IWA auth scheme
Last Update: 2017-03-31    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1440777

Unable to use the search filter when creating a Role in the application module (EPM)
API Error when using the search filter within the role tab application module (EPM)
Last Update: 2017-03-31    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1670632

Virtualization software not listed in SiteMinder support matrix.
Virtualization statement
Last Update: 2017-03-31    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC528042

Web Agent doesn't start and Apache reports error : LLAWP.exe must be callable from the system path
This technote discusses about a specific problem when trying to start the Web Agent
Last Update: 2017-03-31    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1885882

How to display invalid login error message in the login page
Steps required to display invalid login error message in the login page.
Last Update: 2017-03-31    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1251864

Can we use relative forward proxy rule setting in CA Access Gateway - SPS ?
This Knowledge document answer the question : Can we use relative forward proxy rule setting in CA Access Gateway - SPS ? No, it has to be a FQDN.
Last Update: 2017-03-30    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1948383

Policy Server is unable to find the encryption certificate.
Adminui was used to generate keypair and CSR.
Last Update: 2017-03-30    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1254293

Getting Prompt for O365 Rich clients after upgrading SM to 12.52 SP1 CR04 and enabling STS IWA
We have upgraded SM and SPS to 12.52 SP1 CR04. Also enabled SPS STS and IWA. But users are still getting basic prompt when they launch rich client.
Last Update: 2017-03-29    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1059344

SPS login.fcc Custom Modifications are not shown without SPS Restart
This technote discusses about a SPS limitation
Last Update: 2017-03-29    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1100745

Federation IdP initiated transaction entering in a redirection loop
This document gives you details on why this situation can occur when setting up a Federation partnership and how to solve it
Last Update: 2017-03-27    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1488941

Apache struts vulnerability
SSO 12.52 SP 2 OS: Win 2012 R2 Apache struts vulnerability Want to check if latest Apache Struts vulnerability is affecting the Siteminder Installation
Last Update: 2017-03-26    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1898114

RelayState/Deeplink not working
IDP-init federation request includes a RelayState value. The value is going missing between the saml2sso URL and the saml2assertionconsumer URL.
Last Update: 2017-03-24    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1998493

Jboss agent : Class not found exception during authorization (RoleMapper)
this knowledge doc discuss on why do we hve a Class not found exception during authorization when using the Jboss agent
Last Update: 2017-03-24    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1459639

How to setup a login form on the CA Access Gateway ?
This Tech tip discuss on how to setup a form authentication page on the CA Access Gateway with redirecting to backend using proxy rules
Last Update: 2017-03-24    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1476517

LLAWP will not load
Siteminder agent will not load the following error is in the event viewer. Unable to load SiteMinder host configuration object or host configuration file. D:\Program Files\netegrity\webagent\config\SmHost.conf
Last Update: 2017-03-24    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1548704

Apache Struts 2 vulnerability CVE-2017-5638 and CA Secure Proxy/Access Gateway
Is CA Secure Proxy / CA Access Gateway impacted by the Apache Struts 2 vulnerability?
Last Update: 2017-03-24    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1024359

Apache Struts 2 vulnerability CVE-2017-5638 and SSO Agent for Sharepoint
Is SSO Agent for Sharepoint impacted by Apache Struts 2 vulnerability CVE-2017-5638
Last Update: 2017-03-24    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1276108

Federation Security Services compatibility
Will federation continue to work during the interim period where Policy Servers have been upgraded to R12.52 but WebAgents+Option Pack are still R12SP3?
Last Update: 2017-03-23    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1392257

Enabling "Global Policies Apply" on a Domain using Siteminder Java SDK
We have a requirement where we need to enable the "Global Policies Apply" checkbox for about 1800 domans in our env using Siteminder Java SDK.
Last Update: 2017-03-23    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1616715

Set Global Response & Enable Global Policies Apply
Questions regarding Policy Management APIs.
Last Update: 2017-03-23    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1513864

SSO API method setAgentConfigProperties not working.
This method does not update the ACO parameters.
Last Update: 2017-03-23    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1373088

 

SSO is breaking from R12.52 and R12.0.
SSO is breaking from R12.52 and R12.0 after upgrade.
Last Update: 2017-03-23    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1788976

Identity Mapping and Federation
Question about Identity Mapping and Federation.
Last Update: 2017-03-23    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1455675

Unable to delete "incomplete" federation domain
AdminUI not allowing admin to delete an incomplete federation domain.
Last Update: 2017-03-23    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1316017

CR for relative target issue
Application integrated with siteminder using the relative target forcing the target url to http instead of https.
Last Update: 2017-03-23    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1686089

Identity Mappings Using the Perl API
It seems there is no way to add identity mappings object to a realm via the Perl CLI.
Last Update: 2017-03-23    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1643984

Bind a response to a rule using the API?
Is there any way to bind a response to a rule using the API?
Last Update: 2017-03-23    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1698605

How to configure 5.x Agent connection in API?
Customer is converting a custom application that uses the Agent API from the 4.x connection method to the 5.x method.
Last Update: 2017-03-23    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1079066

Mappings for LDAP error code and SMSUTHREASON?
For password policy are there mappings for LDAP error code and SMSUTHREASON?
Last Update: 2017-03-23    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1544321

Need EOS dates for SiteMinder 6.x, 12.0, 12.5, and 12.52.
Customer requests the end of service dates for SiteMinder 6.x, 12.0, 12.5, and 12.52.
Last Update: 2017-03-23    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1956708

Perl CLI method to manage federation partnerships
Are there any Perl CLI methods to manage federation partnerships?
Last Update: 2017-03-23    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1194083

Timeout in DMS API search.
Customer has written a custom application using the SSO DMS API and is finding one of the search calls is timing out.
Last Update: 2017-03-23    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1330057

Decrypt the value of SMAGENTNAME
Customer is asking how to decrypt the value of SMAGENTNAME using the SDK
Last Update: 2017-03-23    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1726717

Policy Server Access Log Events
What are the various access log events and when are these events logged into the smacess.log (text based audit log) or audit database
Last Update: 2017-03-22    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1417454

Windows Authentication Scheme User DN Lookup Formats
Supported formats for specifying a User DN Lookup search string within the Windows Authentication Scheme (IWA).
Last Update: 2017-03-22    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1314606

AdminUI :: Reports and Administration Tabs : Restrictions
This technote discusses about possibilities to restrict the scope of the administrator.
Last Update: 2017-03-22    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC555263

Federation :: Affiliate Agent : UTC and IssueInstant Date Format
This technote discusses about a specific error with time format in Federation assertion
Last Update: 2017-03-22    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC563486

Wrong authentication scheme is invoked
IWA auth scheme is intermittently redirecting to the wrong port.
Last Update: 2017-03-21    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1207053

How to export the domain XID
domain XID xpsexport
Last Update: 2017-03-21    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1844178

Slow response from custom agent.
Customer reports a custom agent is slow to respond.
Last Update: 2017-03-21    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1794186

Incorrect html for 00-00011 error
HTML has a syntax mistake when displaying the 00-0011 error.
Last Update: 2017-03-20    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1296134

What do the lines of asterisks represent in the XPSImport/XPSSweeper output?
XPSSweeper output; XPSImport output
Last Update: 2017-03-20    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1624931

Unable to load audit text files using the SiteMinder SMAuditImport utility
Unable to load audit text files using the SiteMinder SMAuditImport utility (available in 6.0 SP5 CR31 or higher).
Last Update: 2017-03-17    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC499559

"Allow Protection Override" checkbook on the custom authentication-scheme.
Documentation(topic is, "custom-authentication-schemes") describes Allow Protection Override" checkbook on the authentication-scheme. This option specifies that the protection level in the library takes precedence over the protection level specified in t
Last Update: 2017-03-16    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1674413

Problem when importing metadata containing multiple Attribute Services
When importing metadata containing mulitple Attribute Services only the first one is imported correctly. This is a known issue in 12.52SP1CR06. Dev fix provided and will be fixed in next release
Last Update: 2017-03-16    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1988715

"can not deploy the WAMUI." error when starting Admin UI Embedded Jboss.
this article speak abut one of the problem you may have on starting the AdminUI
Last Update: 2017-03-16    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC563485

 

How to rollback to the default legacy siteminder administrator once we have configured an external admin store with Admin UI?
Rollback to the default legacy siteminder administrator once we have configured an external admin store with Admin UI?
Last Update: 2017-03-16    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC563891

Can we import Metadata containing both SP and IDP information?
Failure when trying to import metada that contains mix of SP and IDP information. This document explains how to proceed.
Last Update: 2017-03-16    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1958754

AdminUI on Linux creates a directory "iam" and a file "workflow.log" under the working directory.
This article explains a known issue on AdminUI 12.52 SP1 startup.
Last Update: 2017-03-16    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1047662

Link to Report Server download.
Customer requests link to the SSO 12.52 Report Server downloads.
Last Update: 2017-03-15    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1305635

Auditing Service not writing to log.
SiteMinder Auditing service is not writing to the policy server or policy server trace logs.
Last Update: 2017-03-15    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1359804

Authentication URL (SAML 2.0) for Legacy Federation
This article explains the documentation correction on Authentication URL (SAML 2.0) for Legacy Federation.
Last Update: 2017-03-15    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1203912

Could not reach LDAP directory to determine if it's an Active Directory, for correct handling of Group user policy. Please correct the issue and then resume partnership configuration.
Admin seeing "Could not reach LDAP directory to determine if it's an Active Directory, for correct handling of Group user policy. Please correct the issue and then resume partnership configuration."
Last Update: 2017-03-14    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1838281

What admin rights are needed to export realm auth scheme and resourcefilter values via Perl script?
Developer is trying to export realm auth scheme and resourcefilter values via Perl script but is not getting values.
Last Update: 2017-03-14    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1300867

Need to know changes in 12.52-SP1-CR06.
Customer wants to know the changes included in SiteMinder 12.52-SP1-CR06.
Last Update: 2017-03-14    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1862637

getAgentConfigProperties and getPropNum not including commented out ACO parameters
SiteMinder API methods getAgentConfigProperties and getPropNum are not including commented out ACO parameters.
Last Update: 2017-03-14    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1559659

API method modifyHostConfig uses OID instead of object name.
SiteMinder SSO API method modifyHostConfig uses the OID instead of using the object name.
Last Update: 2017-03-14    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1468636

Retrieving SmResponseAttr
Retrieving SmResponseAttr using the SSO SDK.
Last Update: 2017-03-14    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1569391

Policy Server doesn't failover to the next Policy Store
This technote discusses about failover problem and best pratices with Policy Server and Policy Store
Last Update: 2017-03-10    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1117996

Changes on Error Type, Error Code and the Error Title in Secure Proxy Server –Error Report
how we can change the default Error Type and Error Code and also the Error Title i.e. Secure Proxy Server –Error Report
Last Update: 2017-03-08    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1796263

Proxy to backend server gave Noodle_GenericException
Proxy rule to redirect the request to the https enabled application URL, we are getting an error Noodle_GenericException. server.log gave Alert Fatal, Internal Error
Last Update: 2017-03-08    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1934067

AdminUI does not reflect objects updated by XPSImport (AD LDS Policy Store)
This document explains why the AdminUI does not refresh the objects aftrr a modification with XPSImport tool and includes reference to a fix to solve the issue.
Last Update: 2017-03-07    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1350961

Event Handler for Wily not loading
Trying to integrate CA APM for CA SSO Follow the below steps as per documentation and try to start the policy server Not seeing EventHandler loaded message in smps.log
Last Update: 2017-03-03    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1004488

Problem activating partnership from ADFS Metadata import
When trying to import metadata file from ADFS, all possible attributes are sent. We can not activate the partnership as too many attributes are provided. Limitation using RDBMS as Pstore.
Last Update: 2017-03-03    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1776544

Policy Server management console : Not able to change data tab details
When installing a 12.6.01 Policy Server, not able to change data tab details for PStore connection. Able to change other parameter in the console
Last Update: 2017-03-03    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1398136

RSA intergration with SiteMinder for 2 fact authentication
I am in the process of configuring RSA SecureID authentication. Looking to accomplish 2-factor authentication user/ID + SecureID
Last Update: 2017-03-02    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1314615

Customization of the Policy Server JVMOptions.txt and its impacts
This technote discusses about the impacts of customizing the jvmoptions.txt
Last Update: 2017-03-02    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1307942

Slowness when accessing IM using CA Access Gateway
performance issue while accessing IM via CA Access Gateway
Last Update: 2017-03-02    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1218173

AgentAPI has init() process latency issue
When AgentAPI call init(), it makes latency issue.
Last Update: 2017-03-02    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1928971

Failover for RSA server
I am in the process of configuring RSA SEcureID authentication. I looking to get failover for the RSA server
Last Update: 2017-03-01    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1654779

Problem Reading SMSession ID
SMPS logs are showing some errors related to the sessions store that got enabled. Unable to read object SmSessionId
Last Update: 2017-03-01    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1955527

 

Compatibility between versions of Single Sign-On products
Please refer to Product Support Matrix of each version.
Last Update: 2017-03-01    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1172131

Unable to decrypt FED_TEMPORARY_STATE cookie
SAML2Base.java][getRedirectTargetFromCookie][Unable to decrypt FED_TEMPORARY_STATE cookie. Exception Mess age: Tried out all the decrypt keys, decryption failed.. No login redirection target URL.
Last Update: 2017-02-28    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1947972

Unable to find the partnership mapping under Trusted Certificates and Private Keys for the certificates used for encryption in partnership
We are unable to find the partnership mapping under Trusted Certificates and Private Keys for the certificates used for encryption in partnership
Last Update: 2017-02-28    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1776684

Unable to activate multiple office365 Partnerships with same remote entity
LogMessage:ERROR: Existing SAML Affiliate is already active LogMessage:ERROR: setActivated failed.
Last Update: 2017-02-28    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1191826

javax.naming.NamingException: LDAP response read timed out error in adminui server.log
(MSC service thread 1-1) VLV Controls not functional: javax.naming.NamingException: LDAP response read timed out, timeout used:-1ms (MSC service thread 1-1) javax.naming.NamingException: JBAS011843: Failed instantiate InitialContextFactory com.sun.jndi.ld
Last Update: 2017-02-28    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1700252

Exception processing signature: Error in DSigVerifier - Unsupported Signing Algorithm
FAILED_INVALID_RESPONSE_RETURNED Exception processing signature: Error in DSigVerifier - Unsupported Signing Algorithm AssertionHandler preProcess() failed. Leaving AssertionGenerator Exception processing signature
Last Update: 2017-02-27    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1251341

Federation Error codes
FEDERATION ERROR CODES Auth Reason 47 Auth Reason 48 Auth Reason 49 Auth Reason 50
Last Update: 2017-02-27    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1073898

Google OAuth integration failing with State data cookie does not exist error
[OAuthAuthzServerByIDTunnelService][ERROR][sm-FedServer-00330] Failed to obtain OAuth provider data for given provider ID null|||Google1003877983200 State data cookie does not exist
Last Update: 2017-02-27    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1368141

CA SSO : WAOP : Error Parsing SAML Assertion at SP.
Could not parse SAML response. Error message: null" as well as "ACS_BAD_SAMLRESPONSE_XML".
Last Update: 2017-02-26    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1405054

Federation Authentication with Internet Explorer failing
Federation Authentication fails when an Internet Explorer browser is used in some transactions
Last Update: 2017-02-22    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1493506

OnAuthReject and OnAuthUserNotFound doesn't prevent Windows Pop-Up
This technote discusses about a specific configuration to prevent the browser to go into a loop and presenting a blank page.
Last Update: 2017-02-22    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1825795

When trying to reach the AdminUI, "Page cannot be found" seen in browser
This technote give tip when getting page cannot be found error when reaching the AdminUI.
Last Update: 2017-02-22    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC584448

NullException thrown when current keys do not match.
SSOToken-1
Last Update: 2017-02-22    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1558245

Seeing many "Policy store failed operation 'MultipleSearch' errors in the SMPS.log with R12.52 SP1 Policy Server.
With CA Directory 12.0.14 as a Policy Store, we are seeing many "Policy store failed operation 'MultipleSearch' for object type 'Root'. LDAP Error Doing UserDirectory_Fetch: 82: Local error" in the SMPS.log.
Last Update: 2017-02-22    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1626754

CA SSO Agent for SharePoint and Microsoft SharePoint Office Client Integration.
This article discusses the Office Client Integration configuration settings required for the Agent for SharePoint to allow Microsoft SharePoint Office Client Integration requests to be properly handled by the Agent for SharePoint.
Last Update: 2017-02-21    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1920122

How to adjust adminUI session idle timeout?
Idle adminui logged out automatically needs re-enter credential
Last Update: 2017-02-16    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1340737

When AdminUI is started, does that two or more process names "Java.exe" start happen?
There should be only 1 java.exe process for AdminUI.
Last Update: 2017-02-14    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1933309

What is the purpose of update query for Policy Store ?
Policy Server is executing update query for Policy Store at some interval.
Last Update: 2017-02-13    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1470324

Policy Server installation has been failed.
When user tried to install Policy Server, below error is output.
Last Update: 2017-02-13    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1366275

smkeyimport creates new four Agent Keys in the existing Key Store. This results in the duplicate set of Agent Keys.
This article explains a remark when running smkeyimport.
Last Update: 2017-02-09    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1673294

SSO stopped working on HR website
SSO not working
Last Update: 2017-02-09    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1086918

 

 

Please note that you can always access the full list going to the following link:

CA Single Sign-On 

 

Best Regards,

Ujwol Shrestha

Principal Support Engineer

CA Technologies

Summary:

 

In this guide we will discuss about the steps required to export selected domain(s) from one policy store to another.

 

Domain may include following child objects:

  • CA.SM::SAMLv1SP
  • CA.SM::WSFEDSP
  • CA.SM::Variable
  • CA.SM::Response
  • CA.SM::Realm
  • CA.SM::RuleGroup
  • CA.SM::ResponseGroup
  • CA.EPM::Role
  • CA.SM::SAMLv2SP
  •  CA.SM::Policy

 

It may also include references like :

  • CA.SM::AuthScheme
  • CA.SM::AgentType
  • CA.SM::UserDirectory
  • CA.SM::Agent

 

So, migrating domain needs migrating the primary CA.SM.Domain object along with all it's children and referenced objects.

 

 

Environment:

  • Policy Server : R12.51+
  • OS : ANY
  • Policy Store : ANY

Instructions:

 

Source Policy Store/Policy Server

 

1. Identify the XIDs of the Policy domain(s) that you want to migrate.

This can be done by looking up the specified Policy Domain(s) via XPSExplorer:

 

However, the easiest option is to first perform a full policy store export and then manually lookup the domain XID in the export file :

To perform full policy store export (dump export) run following command:

XPSExport c:/fullexport.xml -xb -npass

 

Then, search for the domain name in the export file. 

For the matching object, the object class should be : "CA.SM.Domain' and the XID should be in the format 'CA.SM.Domain@XXXXX

For e.g. in the screenshot below the highlighted value is the XID of the policy domain "iis_anz_vm2_wa" that we would like to migrate.

 

2. Once identified, copy the XID(s) of all the Policy domain into a file, say domainXIDs.xml as below :

3. Next, export selected policy domain(s) using following command :

XPSExport c:\domainExport.xml -xf c:\domainXIDs.xml -npass

4. Then, open the newly exported file (domainExport.xml) and copy the XID(s) of all the references used into a new file say referenceXIDs.xml.

 

 

Tip : search for string "<ReferenceObject"

 

 

Note : Some of the reference types are not exportable so needs to be removed from referenceXIDs.xml , but this will be evident on trying to export the references.

So, let us try to export the references as it is first :

 

C:\Users\Administrator>xpsexport c:\ref.xml -xf c:\referenceXIDs.xml -npass



As we can see above, the object of type CA.SM::AgentTypeAttr are not exportable which means, it can't be migrated. These are the default objects which came OOTB and can't be instantiated. So it is safe to remove this from the list of references - referenceXIDs.xml.

So, go ahead and delete the reference of these type of objects from referenceXIDs.xml 

 

 

(After manually deleting CA.SM.AgentTypeAttr object reference).

Now , try to export the references again using the same command :

C:\Users\Administrator>xpsexport c:\ref.xml -xf c:\referenceXIDs.xml -npass

 

and it should be successful now :

 

Finally, we are now ready with following two export file which we can now import to the target polcy store :

  • domainExport.xml - Policy domain export file (from step 3)
  • ref.xml - Export of references used by polcy domain (from step 4)

 

Target Policy Store/Policy Server

1. Import references export file using following command :

XPSImport c:/ref.xml -npass

 

Sample output :

 

2. Import domain export file :

XPSImport c:/domainExport.xml -npass

 

Sample output :

 

 

 

Note : The above process doesn't migrate objects like ACO & HCO which is not related to a Policy domain. If you need those as well, then they need to be migrated using the same procedure as above.

Summary:

In this guide we will discuss how to check if a user is a member of a certain group using expression.

This can be used during policy evaluation or while sending a response.

Environment:

  • Policy Server : R12.52+,
  • OS : ANY
  • User Directory : ANY

Instructions:

 

For an illustration purpose, we will configure a response to return true or false depending upon whether the user is a member of group 'HR' or not.

 

The expression that needs to be used is : 

IsHR=<$expr="%SM_USERGROUPS ~CONTAINS 'CN=HR,CN=Users,DC=ad12,DC=lab'"$>

 

Where, 

%SM_USERGROUPS returns a list of all the group which the user belongs to separated by character ^

and ~CONTAINS performs a case insensitive search

 

The full list of various other operations that are available are detailed here :

https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/policy-server-configuration/attributes-and-expressions-reference/operators

 

 

Testing Result :

 

 

 

 

 

 

 

 

Question

In this blog we will clarify following questions about SMUSRMSG cookie:

  • What is SMUSRMSG Cookie?
  • What are the different scenarios under which this cookie is created ?
  • Is it recommended to configure custom cookie response to create this cookie ?
  • Can someone steal this cookie and decrypt it ?
  • When is this cookie deleted?

Environment

  • Policy Server : R12.52 SP1 and above
  • Web Agent : ANY

Answer

 

  • What is SMUSRMSG Cookie?

SMUSRMSG cookie is an encrypted cookie which is used to communicate error messages to the end user. This cookie is created automatically by web agent under few scenarios.

  • What are the different scenarios under which this cookie is created ?

This cookie is created automatically by web agent under following scenarios :

 

While using custom authentication scheme (e.g. java) , if a custom error text is set by callingsetUserText() API.

More details here : https://communities.ca.com/community/ca-security/ca-single-sign-on/blog/2016/10/05/tech-tip-ca-single-sign-on-policy-serverhow-to-set-custom-error-message-using-custom-authentication-scheme

 

When using basic password policies (BPS) if :

  • User Password is expired. The cookie contains reason indicating why cookie expired.
  • During Force Password change flow when the new password doesn't meet the password complexity requirement. The cookie contains reason that explains why the new password failed to be set against the password policy.
  • Is it recommended to configure custom cookie response to create this cookie ?

It is NOT recommended to manually set this cookie by configuring response cookie during authentication/authorization event as this is a propriety cookie used by web agent exclusively. Setting this manually may have unexpected consequences.

  • Can someone steal this cookie and decrypt it ?

Except for the custom authentication use case, SMUSRMSG cookie is always encrypted using agent keys. So , even if someone steal this cookie, they won’t be able to decrypt it.

  • When is this cookie deleted?

In native mode, the Agent deletes the cookie after a successful login, while redirecting back to the target URL.

In 4.x compatibility mode, the Agent deletes the cookie after generating the FORMCRED cookie, while redirecting back to the target URL.

Testing:

When new password doesn't meet the password complexity