Chat Transcript: Office Hours for CA Single Sign-On [Mar. 17th]

Document created by Chris Stallone Employee on Mar 17, 2016Last modified by kristen.palazzolo on Dec 17, 2016
Version 3Show Document
  • View in full screen mode

Kristen Malzone (CA) :

Please ReTweet to invite others to join: https://twitter.com/CA_Community/status/710481515357016064

 

Anand Rao :

  1. Hi...I joined late...is the meeting still on?

 

Herb Mehlhorn :

hi Anand, there are a number of folks  CA on ...do you have a question?

 

Anand Rao :

I wanted to ask if CA Single Sign On r12.52 SP2 supports IDP Proxy implementation and/or IDP Selection.....for example for a particular federated application where I am the IDP, I want to give the user option to use their Active Directory Credentials or CA Directory credentials....is this possible today?

 

Herb Mehlhorn :

hi Anand, the "proxy" part of your qeustions is not 100% clear to us

 

Herb Mehlhorn :

WIth SSO as IDP you can configure SSO to validate a user credentail against a repository

 

Herb Mehlhorn :

that repository could e AD or could be CA Directory

 

Anand Rao :

Suppose I am the IDP, an SP forwards an authentication request to me...I would want to forward that to a third IDP which will authenticate the user and I'd relay the response back to the SP acting as a proxy...is that possible?

 

Herb Mehlhorn :

Anand, are you looking at this for a gov't spec (e.g.  Connect.gov)?

 

Herb Mehlhorn :

or are you not in gov't vertical?

 

Anand Rao :

not in the government vertical....

 

Herb Mehlhorn :

  • ok...the scenario you described is similar to some work we are doing as an SP for connect.gov

 

Anand Rao :

Other SSO products offer this, but I could not find it in the SSO Documentation...for example ...this is  OpenAM...slide 8 is what I'm trying to explain

 

Anand Rao :

http://www.slideshare.net/ForgeRock/idpproxy

 

Herb Mehlhorn :

hang on...some checking going on in background

 

Rob Lindberg (CA) :

@Anand, we have a flow where we can provide an selection of identity providers, which we describe as a 'credential selector page'. See this section of the doc https://docops.ca.com/ca-single-sign-on/12-52-sp2/en/configuring/partnership-federation/configure-social-sign-on

 

Anand Rao :

  1. yes..but that allows for only Facebook, linkedin etc correct? Can this be used even for custom IDPs?

 

Rob Lindberg (CA) :

@Anand, it works for IDPs that support SAML, WS-Fed, or Oauth. it's not limited to Facebook, Linkedin

 

Anand Rao :

okay thank you.

 

Anand Rao :

if we have time, I'd like to ask one more question..very closely related to the previous one

 

Herb Mehlhorn :

sure

 

Kristen Malzone (CA) :

4 minutes left! Get your final question in now!

 

Anand Rao :

the documentation says that to use delegated authentication, it has to be a third party WAM product....can I use delegated authentication (in the partnership) to forward to a CA SSO protected page?

Herb Mehlhorn :

@Anand, I don't think we thought about that use case...what would make you want to do that.

 

Anand Rao :

want to use a login.aspx page instead of an fcc to collect credentials

 

Anand Rao :

some complex branfding requirements that would need some server side scripting to display the appropriate logo to the user

 

Anand Rao :

several hundred logos to choose ...so it would be too heavy and impractical to customize the fcc to handle this...hence was wondering if I can delegate the authentication to another page that'd submit to the fcc or call the rest web service for authentication

 

Herb Mehlhorn :

@Anand,...the docs may say that for SSO acting as Idp that teh example is fcc, but does not have to be. Team here believes you can use as login.aspx as the base auth scheme

 

Anand Rao :

thanks! okay...so after authentication, what URL would the login.aspx redirect the user to so that the SAML flow can be resumed?

 

Rob Lindberg (CA) :

@Anand, in the partnership you specify the Auth URL (redirect.jsp) and then you protect that page with an SSO authentication scheme (which can be custom). the SSO agent handles the redirects and gets the user back to the SAML flow

 

Anand Rao :

okay thanks! custom auth scheme is the answer then...thanks a lot!

 

Anand Rao :

sorry for taking more time than allotted

 

Herb Mehlhorn :

thanks for taking the time today to join us Anand...have a good day.

Attachments

    Outcomes