Chat Transcript: Office Hours for CA Single Sign-On [MAY 2016]

Document created by kristen.palazzolo Employee on May 19, 2016Last modified by kristen.palazzolo Employee on Dec 17, 2016
Version 3Show Document
  • View in full screen mode

from Kristen Malzone (CA) to Everyone:

Let's get started! Welcome to Office Hours for CA Single Sign-On!

from Kristen Malzone (CA) to Everyone:

There is no audio. All conversation happens right here in the chat window.

from Kristen Malzone (CA) to Everyone:

Product experts are standing by to answer your questions in real-time.

from Kristen Malzone (CA) to Everyone:

So, ask away! What questions do you have today about CA Single Sign-On?\

from James Opre to Everyone:

I do not have any questions,, I am listening in to hear what others have to ask / say

from Kristen Malzone (CA) to Everyone:

@James - Ok - thanks for joining!

from Tony Pham to Everyone:

you recently have a discussion on CA Single Single-On 12.52 sp1 cr5!

from Kristen Malzone (CA) to Everyone:

Yes we did

from Tony Pham to Everyone:

where can i get the desk, or if there is a replay?

from Sam Dikeman to Everyone:

I have heard that CA is working on a decommission date for 12.51.  Is that true and does that mean that CA will definitely not look at 12.51 support on RHEL 7?

from Kristen Malzone (CA) to Everyone:

We hosted a Community Webcast on Monday.

from Kristen Malzone (CA) to Everyone:

@Tony I sent out a follow up email to all attendees. Did you get it?

from Felipe Leonardo to Everyone:

Hi everyone, I am from Digital Presales team from Brazil and I started learning Single Sign on recently. Though, I have bumped into a customer which would like to have his SAP GUI integrated in sso. Is it possible with our solution?

from Kristen Malzone (CA) to Everyone:

@Felipe This is a customer Office Hours session.

from Tony Pham to Everyone:

"all attendees"    i didn't attend

from Kristen Malzone (CA) to Everyone:

@Felipe Please post internal questions in the SSO Experts Forum.

from Felipe Leonardo to Everyone:

okay, sorry

from Kristen Malzone (CA) to Everyone:

@Felipe If you need a link, IM me.

from Kristen Malzone (CA) to Everyone:

@Tony Video Replay: https://communities.ca.com/videos/4200

from srikanth to Everyone:

Good morning, I wanted to check on CA WAM support for FIDO protocol

from srikanth to Everyone:

we are rolling out windows 10 soon with passport (biometric) authentication support...our users love it

from Herb Mehlhorn to Everyone:

@sam.. the direct answer to the question is yes...as 12.6 comes to market we now start to look at duration of 12.51.  There are no dates yet being considered, but we are starting to think about that.  Timelines typically will be years in duration.   As for RH7 on the policy server we won't be able to do that with 12.51.  More in my next entry

from srikanth to Everyone:

can we extend passport to Web authentication protected by CA WAM

from Herb Mehlhorn to Everyone:

@Sam...the reason for not doing RH7 on 12.51 is that for RH7 support we have to modify a number of internal libs for memory mgmt,, database integration, crypto, etc...

from Prakhar to Everyone:

With the exsisting functionality of integration of Siteminder with CA Risk Authentication, if a user comes with valid SMSESSION Riskevalute is not triggered, is there a feature request to evaluate Risk for application specific just like Siteminder protection works..??

from srikanth to Everyone:

Q2: Does R12.52 Support active SAML end points ? to submit SAML and recieve SMSESSION cookie of user?

from Herb Mehlhorn to Everyone:

@sam...it is a significant change to internal libs and that means a significant program...so doing this on 12.51 would be very similar to the big core work being done for 12.6

from Sam Dikeman to Everyone:

@Herb - thanks.  Tony and I will be very busy at some point then... 

from Herb Mehlhorn to Everyone:

@srikanth - FIDO we have done a POC on this as showed the POC at CA World, but the demand for this waned a great deal and we did not see much demand in the community site/customer input for this, so it has floated in our backlog and it remains there, but as a candidate to continuously check on rather than something that is in the top eschelon of potential enhancements.  What are you seeing for demand?

from Herb Mehlhorn to Everyone:

@Sam...the key item on RH7 is that with all the library changes we need to drive it through a full set of regresssion, scalability, endurance, securability tests.....that really is a full program for development we need to put the new libraries thorugh their paces.

from Herb Mehlhorn to Everyone:

@Sam one thing we have found is that RSA did not have a lib for SecurID sdk, so our RH 7 support iniitally will ahve to go out without SecurID support.

from Herb Mehlhorn to Everyone:

@Sam...can't be sure if you folks use that, but fyi... we will pick up the SecurID support when the SDK from RSA is released and we can get into an SP release on 12.6

from Sam Dikeman to Everyone:

@Herb - we would be ok without SecurID.

from Herb Mehlhorn to Everyone:

@Sam....OK.

from Rob Lindberg (CA) to Everyone:

@srikanth - on the passport question, are you using the biometrics for logging into the desktop or some authentication to browser apps afterwards? we have an IWA authentication scheme for WAM SSO for users already logged into the domain

from Shahn Soomro (CA) to Everyone:

@Srikant regarding Q2...yes.. SiteMinder will return a SMSession cookie after successful authentication via SAML...if that is what you are asking about.

from Herb Mehlhorn to Everyone:

@srikanth...are your bus. constinuents inside your organization asking about FIDO?   What are your thoughts?

from srikanth to Everyone:

@Shahn ...Thanks, this can be on a webservice call ? we post SAML and recieve SMSESSION Spec (cookie)

from Herb Mehlhorn to Everyone:

@prakhar...so this is in an IDP flow.... right?   WHen a user presents their SMsession on IDP side to have SAML Assertion created..  Your question is about the IDP flow?

from srikanth to Everyone:

@Herb and @ Rob , Yes biometric authentication and use that assurance for authentication. IWA will be a lower level assurance

from Sam Dikeman to Everyone:

Little different topic.  Lingering cases.  At what point does management look at long opened cases and try to get them cleaned up?  Or does it take a squeaky wheel?

from Prakhar to Everyone:

@Herb its about a normal application flow and nothing to do with SAML, User logs in an application not integrated with Risk Auth and then goes to another application which is integrated with Risk Auth using Custom Auth Scheme, as User already has SMSession, RiskEvaluation is not triggered.. and is redirected to target application..

from Shahn Soomro (CA) to Everyone:

@srikant..use you still get an SMSession even when authenticating over a webservice.

from Herb Mehlhorn to Everyone:

@prakhar...apologies on the SAML part...was a crossed thread of comms on my side.

from Rob Lindberg (CA) to Everyone:

@sirkanth - biometrics - I apologize if I wasn't clear. Are you looking to create an authentication method to the browser app that would request a biometric response, even after they have access to their desktop?

from Dudley Cadet to Everyone:

Can I toss in a quick support question?

from Herb Mehlhorn to Everyone:

@prakhar,  I am not entirely sure about the answer to your question.....just looking at the use case ...it woudl seem to me the RIskevaluation should occur.   I will have to talk with my Risk Authentication peers.   Is there an existing ticket in CA support ont his topic?

from Prakhar to Everyone:

@Herb what i understand from CA Support is that this how the product works by design, but then the whole idea of integration with Risk Authentication fails if we want a specific Ruleset for Sensitive applications, we don't want to play around with auth level as it would again ask for UserName/Password instead we want to challenge them using their security questions or OTP.

from Kristen Malzone (CA) to Everyone:

@Dudley - yes!

from srikanth to Everyone:

@Rob, we are interested to tap into Microsoft passport (FIDO) support and they are publishing API's for other identity systems to leverage on that platform...eBay potentially might offer password less , secure and strong authentication using those API's

from Dudley Cadet to Everyone:

Configured a new User Store pointing to CA Directory, but SSO only returns entries where the objectClass is inetOrgPerson,

from srikanth to Everyone:

So what are CA's thoughts or approaches on offerign FIDO ...ADFS 2016 can potentially extend it to web authentication and Azure AD offers it now. Users and app owners are demanding for this feature.

from Dudley Cadet to Everyone:

Same store used for WAMUI auth and all users are found when we select oc of TOP. Adding custom schema to the PS knowledge files breaks the PS.

from Herb Mehlhorn to Everyone:

@prakhar...i would lean in your direction on this...if the auth scheme for an app is ...evaluate risk..then the logic shoudl execute this. ...was there a ticket you opened.   I will take a closer look.

from Stephen McQuiggan (CA) to Everyone:

@dudley - the registry on the policy server can be modiifed to add custom object classes, I'll lok for the technote

from Dudley Cadet to Everyone:

Thanks.

from Herb Mehlhorn to Everyone:

@srikanth...we will take a closer look at the traction for FIDO.   If MS passport is faithful to the FIDO spec that would be good.  We will take a closer look.

from Challa Ramakanth to Everyone:

@Sam, Long term cases are reviewed every week to see where the issue is and what we can do progress them further. We also work very closely with engineering to work closely with them.

from srikanth to Everyone:

@Herb , Thanks...

from Herb Mehlhorn to Everyone:

@srikanth.   Gonna take 2 mins to look at community site as well..back in a second.

from Sam Dikeman to Everyone:

@Challa - <SqueakyWheel>Asking because I've had one opened since December.  Told it is high priority but nothing.</SqueakyWheel>

from srikanth to Everyone:

Identity propagation : we are rolling out SOA architecture (Enterprise service Bus) , What is recommended approach to propagate users identity ? capture and replay SMSESSION cookie ?

from Prakhar to Everyone:

@Herb well this is what the product documentation says, RiskEval is triggered even before SMSession is created and if there is a valid SMSession it would just be validated and go for isAuthorization call.. This came to point of discussion with your Support Engineer over different issue but he confirmed that this is how product works.. What we want to know is that is this been highlighted to product management to be added included in new versions..??Support Engineer from Case# 00308961, 00333987 &  00333983 is aware about this functionality..

from Herb Mehlhorn to Everyone:

@srikanth...just took quick look over community site don't see any entries for FIDO, but we still will take a closer look based on our exchange here.   FYI our POC for FIDO was done with Nok Nok Labs...

from srikanth to Everyone:

#identity propagation , Users logs in app A , app A needs to commit a transaction on behalf of user in App B (protected by siteminder)...how do we transfer user identity context ? capture and pass SMSESSION to app B ?

from Stephen McQuiggan (CA) to Everyone:

@dudley - TEC 485119 - The user store is searched iterating through the configured object class types defined in the registry.

from Herb Mehlhorn to Everyone:

@prakhar...thanks for the pointers will find some additional time today to review the details.

from Prakhar to Everyone:

@Herb this can be well reproduced in any environment from a user coming with a valid SMSession and moving to an application protected with Risk Custom Authentication Scheme..

from Herb Mehlhorn to Everyone:

@prakhar...thanks. will look more.

from srikanth to Everyone:

@Herb , Thanks again...

from Kristen Malzone (CA) to Everyone:

15 minutes left! Get your final questions in now!

from Challa Ramakanth to Everyone:

@Sam, I know which one you are talking about. I will get back to you offline with the status update on that.

from Kristen Malzone (CA) to Everyone:

In case you missed it, here's the video replay from this week's webcast on Understanding new session store & metric features in 12 52 sp1 cr5 -> https://communities.ca.com/videos/4200

from Sam Dikeman to Everyone:

@Challa - Thanks.  I do appreciate it.

from Dudley Cadet to Everyone:

@Stephen: Would it be under

from Dudley Cadet to Everyone:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netegrity\SiteMinder\CurrentVersion\Ds\UserClassFilters

from srikanth to Everyone:

@Shan...on passing SAML to an active end point on SiteMinder and receivng SMSESSION ....can you please point me to any KB articles or documents ?

from Latha to Everyone:

is TLS v1.2 supported on Policy server r12.52 sp1. we are using Load balancer host to connect to LDAP userdirectory

from Shahn Soomro (CA) to Everyone:

@Srikant... CA SSO support Auth/auth web services. where you can see example of reusing SMSession cookie for subsequent authorization of the user request. so doing that via SBUS is no different .. how do you do that will depend on you SOA implementation ..

from srikanth to Everyone:

IDP (ADFS) ...SP (SiteMinder) , authenticate @ ADFS and recieve SAML for SiteMinder....can we pass it to an active end point and recieve SMSESSION from siteminder?

from Prakhar to Everyone:

@Herb Thanks this looks to be a major limitation for this integration..

from Sam Dikeman to Everyone:

Oh, TLS 1.2, forgot about that.  What is the minimum version of policy server that supports TLS 1.2?

from Latha to Everyone:

@Herb  is TLS v1.2 supported on Policy server r12.52 sp1. we are using Load balancer host to connect to LDAP userdirectory

from Shahn Soomro (CA) to Everyone:

@Srikant .. i am not sure if there is specific article written to address passing SMSession around in webservices etc. But I will look

from srikanth to Everyone:

#Identity propagation @Sahn ...is that a best practice in CA WAM ? or a constraint ? to use SMSESSION ....is it recommended ?

from Shahn Soomro (CA) to Everyone:

@srikant.. simplest way to test would be using something like SOAPUI and test out the example auth/az webservices inclided in CA SSO.. you will see SMSession returned in response and you can cut and paste it in subsequent service calls to get access without authentication

from Herb Mehlhorn to Everyone:

@all...trying to do real time check on the TLS 1.2 question..  I now that we dont' use TLS at all for PS to agent connection...but for PS to backend (dir/db, etc) checking on that.

from srikanth to Everyone:

#Identity propagation   @Shan ...even if we move to OAuth model for applications ...having Agent looking for user SMSESSION cookie will force us to replay users SMSESSION around.

from Latha to Everyone:

it is notPS to userdirectory for LDAP

from Shahn Soomro (CA) to Everyone:

@Srikant...that is how CA SSO works.. that is user passes the SMSession of existing session to gain access to additonal apps without being rechallanged. so if you want to use that in webservices interaction that will be fine.

from Shahn Soomro (CA) to Everyone:

@srikant..as far as identity propagation is concerned..it has differnet implication in different contexts.. so I will not use it as a blanket statement..but yes you can use SMSession to gain access to downstream apps for authorized users..over http and in webservices interaction

from srikanth to Everyone:

#Identity propagation...@Shan...Thanks , does CA working on improving this design and removing such constraints ? is it secure ? sorry , these are questions we get from our security team's ....so, passing SMSESSION around is best or atleast common practice ...as CA SSO only works this way ?

from Kristen Malzone (CA) to Everyone:

5 minutes left!

from Shahn Soomro (CA) to Everyone:

@Srikant..Is it secure? yes, because SMSession is evaluated for subsequent access to make sure user is authorized for it... for further (ironclad) security, you may want to use "session assurance" feature to ensure against cookie replays etc.

from Herb Mehlhorn to Everyone:

@all...there is TLS 1.2 support for connection to odbc's that was added with v8 of the lib in Policy Server...am trying to find when v8 of that lib started shipping and trying to track down the LDAP interaction as well. 

from srikanth to Everyone:

@Shan....any additional input on using SAML from a different IDP , passing it to CA SSO to recieve SMSESSION

from srikanth to Everyone:

i looked into CA Auth REST service, dont find option to pass a SAML ...it does offer username/password, rsa token or certificate...what about SAML?

from Herb Mehlhorn to Everyone:

@all...if we time out here before i get the full TLS 1.2 question I can follow up off line.  I know i have Sam

from Kristen Malzone (CA) to Everyone:

@Srikanth - Please post this use case as a discussion thread to the Security Community: https://communities.ca.com/community/ca-security

from Shahn Soomro (CA) to Everyone:

@Srikant..not sure what the different IDP means...I recommend posting the use case in CA Communities (great place to take these discssions to a much larger team).. and there is NO time constraint to responses there

from Sam Dikeman to Everyone:

@Herb - and Latha

from Herb Mehlhorn to Everyone:

's email address. but not sure i have latha's...so Latha...just send me an email at herbert.mehlhorn@ca.com and I will include you

from Kristen Malzone (CA) to Everyone:

Ok - that's all the time we have for today! Please join us again next month: https://communities.ca.com/events/2895

from Latha to Everyone:

ok thanks

from Kristen Malzone (CA) to Everyone:

Have a great day!

from Prakhar to Everyone:

@Herb would be waiting for your feedback on the integration query..!!

from Dudley Cadet to Everyone:

@Stephen: Thanks.

Attachments

    Outcomes