Chat Transcript: Office Hours for CA Single Sign-On [Sept. 17th]

Document created by Chris Stallone Employee on Sep 17, 2015Last modified by kristen.palazzolo on Dec 17, 2016
Version 3Show Document
  • View in full screen mode

Kristen Malzone (CA) :

Hi Rahul! Thanks for joining today!

 

Kristen Malzone (CA) :

Let's get started - if you have a question about CA Single Sign-On, ask it here in the chat window.

 

Kristen Malzone (CA) :

Our product experts are standing by to answer your questions in REAL TIME!

 

Rahul P :

in general what is the best practice for a keystore when you have multiple environments (dev/uat/prod) at different version levels. - is a single keystore suggested or multiple

 

Kristen Malzone (CA) :

@Rahul - Great question! We're working on getting an answer to you right now..

 

Rahul P :

Thanks.

 

Herb Mehlhorn (CA) :

@Rahul,  I would suggest raising this with support team.  I have not seen many instances where a common keystore is shared between test and prod environments.

 

Herb Mehlhorn (CA) :

@Rahul,  Support team will likely have a broader pool of custeomr interactions they could draw on for an improved answer.

 

Herb Mehlhorn (CA) :

@Rahul,   Tyipcally, shared keystores across installations is to accomplish single sign on across  those environments.

 

Rahul P :

@Herb. we currently have separate keystore for each environment - however with users switching between environments frequently is causing issues. So I was wondering how it is done in other places

 

Herb Mehlhorn (CA) :

@Rahul,  What kinds of issues is it causing?  Just need to log on when going to new env? or something more?

 

anand :

Question regarding SPS: I have recently seen an issue where the SPS doesn't come up after a successfull installation/configuration. To bring the SPS up, i had to disable the following in the Server.conf:  AAS, auth/az webservices, UI Login and another contexts. Once i do this, the SPS comes up fine.. I saw this issue foe the first time at a ustomer and they were running version 12.52 CR1. When opened CA support , they suggested upgrading to a latest version at that time which was 12.52 SP1 CR1. However i was at another Customer after that project and i still saw the same issue when they installed 12.52 SP1 CR02. So i have the following questions: 1. What is the root cause of this issue. How is that when a customer was suggested to upgrade to latest version and then you still see the  same issue with a version later than the one suggested by the SUpport?

 

Herb Mehlhorn (CA) :

@Anand  this smells like a support case wouldl need to be opened to try to reproduce and find source...

 

anand :

I understand that getting root cause may not be possible in this Chat.

 

Rahul P :

@Herb - we have some 4x agent usage where if a user switches to another environment in a new browser tab - the old smsession is not decrypted. will this go away if we share keystores ?

 

Herb Mehlhorn (CA) :

@Anand, yes will be hard to do unless support team on the call recognizes it immediatlely

 

anand :

But what kind of QA does a new version go through before releasing it ?

 

Rahul P :

@herb - we are okay if user gets prompted, but SM just fails saying not able to decrypt

 

Herb Mehlhorn (CA) :

@Rahul,  I am not sure of they dynamics with 4.x agents.  They predate me

 

Rahul P :

@herb

 

Herb Mehlhorn (CA) :

@Rahul,  Do you see different behavior with agents greater than 4.x?

 

Rahul P :

@Herb : I have not seen a unable to decrypt for 6x till now. 4x is heavily used in our env.

 

Herb Mehlhorn (CA) :

@Rahul,

 

Herb Mehlhorn (CA) :

@Rahul,  some background conv. across this item suggests you set up a call with Support to see if this is an agent version specific item or a config item.

 

Rahul P :

@Herb. unfortunately the proxy boxes (bluecoat) and PingFed where we use 4x cannot use 6x. If a better solution is available - we are ready to try it out.

 

Herb Mehlhorn (CA) :

@Rahul...perhaps SAML config to PingFed may be another integration option?  For BlueCoat we shoudl encourage them to upgrade their agent. But perhaps near term to try to find out if this is a config issue (pointing to correct PS..etc.) is to set up a call with support.

 

Rahul P :

@Herb. thanks. will raise a ticket with support for it.

 

Rahul P :

@CA The oauth authentication scheme is an awesome functionality. I wanted to pass on my and my client 'Thank You' to you. If possible please extend it other OAuth functionalities to newer versions.


Herb Mehlhorn (CA) :

@Rahul...also happy to have you consider using the SPS component (part of our base licnese with fed functionality) rather than PING...understand that is a longer conv.

 

Herb Mehlhorn (CA) :

@Rahul, happy to have the input here and to have these needs added to Community Site so others can contribute.

 

Rob Lindberg (CA) :

@Rahul,  we have put newer OAuth support into to the Partnership Federation model, We are moving away  the authentication scheme approach that was intiailly introduced. If you have requests for other OAuth functionality please submit them as an idea to the community so we can capture the details of your request.

 

Jim L :

Does CA SSO offer the capability to encrypt a user's password when it gets posted to an FCC so it cannot be captured in say a Fiddler trace during support, etc. ?

 

Stephen McQuiggan (CA) :

@ Jim L  No siteminder does not modify the password before the FCC sends it to the policy server, it does communicate to the policy server over its encryption tunnel.

 

Kristen Malzone (CA) :

15 minutes left! Get your last questions in now!

 

Rahul P :

@Rob Lindberg - thanks.

 

Kristen Malzone (CA) :

Office Hours happen the 3rd Thursday of every month!

 

Kristen Malzone (CA) :

See you next month!

 

Kristen Malzone (CA) :

Thanks for joining today!

Attachments

    Outcomes