Chat Transcript: Office Hours for CA Single Sign-On [Feb 18th]

Document created by Chris Stallone Employee on Feb 18, 2016Last modified by kristen.palazzolo on Dec 17, 2016
Version 2Show Document
  • View in full screen mode

Kristen Malzone (CA):

Time to get started.

 

Jeff :

@Kristine - ca comunities

 

Kristen Malzone (CA) :

@Jeff - Ok thanks I'll look into what the issue was.

 

Kristen Malzone (CA) :

Here's a link to the Webcast Reply  last week on CA Remote Engineer: https://communities.ca.com/videos/3742

 

Kristen Malzone (CA) :

If you missed it - definitely give it at watch!

 

federico :

I want to share a image

 

Kristen Malzone (CA) :

@Federico - You can't share images in WebEx chat. What is your question about?

 

Kristen Malzone (CA) :

@Federico If you need to share an image, I recommend posting as a question to the CA Security Community where you can embed the image in your post. https://communities.ca.com/community/ca-security

 

federico :

What are the best Solutions you can suggest to us to explore that allow this base arquitecture to be able to authenticate the user and password on the mobile app (or eventually the web app) while avoiding the UserId being blocked on the Active Directory when the mobile app or a live user provides incorrect credentials?We have citrix netscaler to authenthify web app to internet to avoid and denied attack to our AD

 

federico :

we have ca service desk manager

 

federico :

mobile app

 

Ramesh :

hi to all

 

Kristen Malzone (CA) :

@Ramesh - Thanks for joining us today. Do you have any questions for our SSO team?

 

Aaron Berman :

@frederico, if you are authenticating to a web app or a mobile app whough siteminder (SSO) then we check the credentials agains the directroy specified.  SiteMinder does have its own password servcies capabilities so i imagine you could set siteminders password services restrictions to be a lower threshold than the AD's password policies, but it probabbly depends on your specific use case

 

Aaron Berman :

@fredrico also several of our customers have gone with a solution where they use an external user directroy for access to avoid users directly agains the internal AD domain

 

Ramesh :

I have question on the smsession=logged off message. How to clear the smsession as logged off? Root URL is unprotected. But subfolders are protected and after the sessions timed out, users are seeing the siteminder login screen for the unprotected root URL.

 

Aaron Berman :

@ramesh is the root URL explicitly uprotected with a unprotected realm, or is there just no realms configured that match

 

Ramesh :

there is a realm for unprotected root URL

 

Kristen Malzone (CA) :

Hi Tony! Welcome to Office Hours!

 

Aaron Berman :

@ramesh when you have an unprotected realm if there is a rule in the unprotected realm that matches the rule even if the realm is unprotected siteminder will protect the url.  I would start there first.

 

Aaron Berman :

@ramesh - i dont think the smsession=loggedoff message is a contributor, i havent heard of agents misinterpreting that message to make them think something is protected

 

Ramesh :

There is no rule for the unprotected URL.

 

TonyP :

Hi Kristen

 

Aaron Berman :

@ramesh - have you tried verifying the url with the policy serverusing the test tool?  

 

TonyP :

to CA, want to check in for status on 12.51 support on RHEL 7.x

 

federico :

Is there any documentation available about authentification protocol app mobile??. We need information how app mobile uses protocol authentification agains CA Server therefore we can analyze and made a POST method between netscaler and the server to transfer credentials(example REST SAML NTLM)

 

Ramesh :

I did not try the test tool. I will try with test tool. I think someone posted this question in our community site couple of years back. but it looks like it was not answered.

 

Aaron Berman :

@ramesh if test tool says it is un protected, then i would should support opening up a support ticket and providing both web agent and policy server logs.

 

Ramesh :

Sure.Thanks.

 

Aaron Berman :

@fredrico my understanding is that fed app mobile requires OpenIdConnect support soemething that is not currently in SiteMinder. We are looking at that as a method for SSO into mobile applications but do not have any dates to share yet. 

 

Rob Lindberg (CA) :

@TonyP - we are not going to be able to provide support for RH7 on 12.51, but we are evaluating support for RH7 in newer releases. we don't yet have a committment on when that support will be available

 

TonyP :

yike.  

 

Rob Lindberg (CA) :

@TonyP - I will say it is currently being researched by engineering

 

TonyP :

RHEL 7 was release in 2014.  don't know when 12.51 was release.  i would think quite alot of your customers ( included me) are on 12.51.  

 

TonyP :

and if you don't plan to have 12.51 support on RHEL 7, you are pretty much force everyone to migrate to 12.52 or later

 

federico :

Thanks for all

 

Rob Lindberg (CA) :

@TonyP - RH7 will require the policy server infrastructure to be 64-bit, which is something we are working on now.

 

Apoorva Choudhary (CA) :

@fredrico I am on the PM team and we are currently validating mobile use cases with customers. I will grab your contact info after the session and connect with you to understand your use cases in more detail.

 

TonyP :

i don't see any option beside migrating to 12.52 if CA is not going to support 12.51 on RHEL 7.  does anyone see any other options?

 

federico :

@Apoorva  Sure no problem

 

Aaron Berman :

@tony, fact is 12.51 and 12.52 are not going to support RHEL 7.  They cant due to the way they are built and numerous 3rd party libraries.  We are looking at doing a 64 bit release with updated third party libs so that we can support RHEL 7.  At the point that gets released then you will have to upgrade to that version which will probably be labeled as 12.6  

 

TonyP :

it's an upgrade regardless.   i hope it will not be painful.   for a big installation like mine and support over 12 millions auth per 24 hrs, the upgrade won't be that simple

 

Kristen Malzone (CA) :

10 minutes left! Get your final questions in now!

 

Aaron Berman :

@tony thereis a lot of work being done to make upgrades less painful.. However custom code and custom integrations are areas that still cause the biggest challenges for the upgrade process.

 

Aaron Berman :

@tony if you have a lot of customization we want to work with you proactively on upgrades

 

Kristen Malzone (CA) :

Alright - looks like that's it for today!

 

Kristen Malzone (CA) :

Thanks for joining this month's session of CA SSO Office Hours!

 

Kristen Malzone (CA) :

Join us again next month!

 

Jeff :

Thank you

Attachments

    Outcomes