Chat Transcript: Office Hours for CA Single Sign-On [SEPTEMBER 2016]

Document created by kristen.palazzolo Employee on Sep 29, 2016
Version 1Show Document
  • View in full screen mode

from Kristen Palazzolo (CA) to Everyone:
Welcome to Office Hours! We'll get started in about 8 minutes.
from Kristen Palazzolo (CA) to Everyone:
Please RT: https://twitter.com/CA_Community/status/781507679344795648
from Kristen Palazzolo (CA) to Everyone:
Alright, let's get started!
from Kristen Palazzolo (CA) to Everyone:
Welcome to Office Hours for CA Single Sign-On. My name is Kristen and I'm your CA Security Community Manager.
from TC to Everyone:
Hi everyone
from Kristen Palazzolo (CA) to Everyone:
If you've got a question about SSO, you came to the right place!
from Kristen Palazzolo (CA) to Everyone:
Our product experts are standing by to answer your question in real-time right here in the chat window.
from Kristen Palazzolo (CA) to Everyone:
So... who's got the first question?
from TC to Everyone:
May I ?
from Kristen Palazzolo (CA) to Everyone:
Yes, you may!
from TC to Everyone:
Report server is not available after Apr 1, I would like to know what's the replacement reporting tools?
from Herb Mehlhorn to Everyone:
@TC is your organization a licensee of CA SSO?
from TC to Everyone:
yes .. but just purchased the license after Apr 1
from Herb Mehlhorn to Everyone:
@TC, so your organization purchased their first instance of CA SSO after APril 1?
from TC to Everyone:
yes
from Herb Mehlhorn to Everyone:
@TC...OK...the path we are taking in CA SSO is rather than bundling 3rd party report server in CA SSO directly our strategy is to have customers leverage their corporate BI system and be able to use CA SSO data being published and then avail for their std. corp BI solution. Do you know your account manager?
from Herb Mehlhorn to Everyone:
@TC...we should set up a short call to go into more detail on this...happy to do so. For those customers that had purchased prior to APril 1 they continue to rights to report server.
from TC to Everyone:
yes .. they just told there would be no more reporting tools and need to use third party tools... thus would like to know if there would be any plan for reporting tools in the future
from TC to Everyone:
as we may need additional effort for report development
from Kristen Palazzolo (CA) to Everyone:
Tech Tip: CA Single Sign-On : How to manually update the expiring signing certificate for Office 365 federation. https://communities.ca.com/thread/241761816
from TC to Everyone:
the previous OOTB report are quite useful
from Josh Coffman to Everyone:
Is anyone using Single Sign-On with mobile push based authentication for the second factor? We are interested in this type of solution due to the deprecation of SMS login codes. Does CA have any efforts planned in this area?
from Kristen Palazzolo (CA) to Everyone:
Find more Tech Tips here: https://communities.ca.com/community/ca-security/content?filterID=contentstatus[published]~category[ca-single-sign-on]&filterID=contentstatus[published]~tag[tips]
from Herb Mehlhorn to Everyone:
@TC...we found that most of our cusotmers were wanting to use their corp std. and we asked the community their thoughts on this. WHo is your account tetam.
from Herb Mehlhorn to Everyone:
?
from Erick to Everyone:
We are thinking to migrate our infrastructure to SM 12.6 from 12.52 SP1. Questions are: what about webagent 6.0? Are they able to talk with 12.6 servers?
from Aaron Berman to Everyone:
@Josh - We are aware of the NIST decision around SMS for Second factor. Normally CA SSO delegates to CA Asdanced authentication for OTP and second factor authentication. CA AA is developing push based notification for a Multi-Factor authentication
from Erick to Everyone:
and also: What about federation staff for legacy staff? Option pack and agent? There is any 12.6 agents
from Aaron Berman to Everyone:
@josh as either a step up or primary authentication mechanism
from Josh Coffman to Everyone:
Does CA have a rough ETA on when Mobile Push Auth might be available?
from Herb Mehlhorn to Everyone:
@Erick - you can continue to use 6.0 web agents, but there are a couple of caveats......
from Josh Coffman to Everyone:
(In Advanced Auth)
from Herb Mehlhorn to Everyone:
@erick...#1 - older agents can't support stronger crypto
from Herb Mehlhorn to Everyone:
@erick #2 - if that 6.0 agent is runnning on a platform that is EOS ...eg. (IIS4)...then our agent on that platform is also EOS>
from Aaron Berman to Everyone:
@Josh - since that is an Advanced auth function and not SSO I have to defer to the AA team. I suggest you contact your account team, or if you are willing to share your organization i can have someone reach out to you
from Josh Coffman to Everyone:
USDA
from Aaron Berman to Everyone:
@OK Josh.. i will have someone reach out.
from Herb Mehlhorn to Everyone:
@erick...#3...believe also 6.0 agents will not support ipv6..
from Herb Mehlhorn to Everyone:
@erck...those are the caveats...but otherwise it should continue to function.
from Josh Coffman to Everyone:
Is there an ETA on when the Access Gateway will be available for SSO 12.6?
from Erick to Everyone:
tks Herb
from Erick to Everyone:
What about federation staff for legacy staff? Option pack and agent? There is any 12.6 agents. CAn we still use federation legacy?
from Herb Mehlhorn to Everyone:
@josh.. right now we are expecting GA before end of nov....as we go from here to there if all goes well we shoudl be able to advance the date as more of the work is executed. Early next week an updated version of the gateway will be posted on Valdiate.ca.com
from Herb Mehlhorn to Everyone:
@josh...that version will be code complete from feature standpoint and we will be working down final stages of work
from Aaron Berman to Everyone:
@erick - We still support legacy federation, althogh we are encouraging our customers to begin to develop new federations using the newer partnership model. New federation features (like dual certificates) have been added to the partnership model but not legacy.
from Herb Mehlhorn to Everyone:
@josh...sorry... "Validate.ca.com"..my typo
from Aaron Berman to Everyone:
@erick - as far as Agent option pack / gateway approaches to federation, we currently support both. I am encouraging new SSO customers to use the gateway for federation we have found it is a lower cost of ownership and easier to maintain than the WAOP. but the features are the same.
from Aaron Berman to Everyone:
@Josh - Just spoke to Kevin Riordan from CA. he should be giving you a call regarding push notifications.
from TC to Everyone:
Regarding SSO 12.6, is there any performance comparsion with 12.52 ? especially under Windows environment ?
from Herb Mehlhorn to Everyone:
@TC...yes.
from Herb Mehlhorn to Everyone:
@tc...give me a min...will copy some info here for you
from TC to Everyone:
thanks
from Erick to Everyone:
Tks Aaron..
from Josh Coffman to Everyone:
Thanks Aaron
from Herb Mehlhorn to Everyone:
@tc...here you go...your mileage will vary ...but here is summary picture
from Erick to Everyone:
We have a lot of legacy fed... is there any tool able to "translate" from legacy to partnership?
from Josh Coffman to Everyone:
Are there any plans to support DeviceDNA without the Access Gateway?
from Herb Mehlhorn to Everyone:
...for windows
from Herb Mehlhorn to Everyone:
@TC...FIPS compatible +22%,, FIPS only +10% improvement when going from 12.52 SP2 to 12.6
from Aaron Berman to Everyone:
@josh - no, we are moving away from the "Option Pack" architecture. and we have no plans to move the collection of device DNA to anything other than the gateway.
from Herb Mehlhorn to Everyone:
@TC...measusre based on based on a mix of authentication, validation, authorization transactions in ratio 1:3:20
from Josh Coffman to Everyone:
Does the gateway need to be protecting the app that uses DeviceDNA, or can a redirect occur to a centralized site on validations and certain types of authorizations?
from Josh Coffman to Everyone:
We have 500+ apps already running behind 1000s of webagents, changing the architecture on all of those apps to be behind an access gateway would take years.
from Aaron Berman to Everyone:
@Erick - right now thereis no tool to mighrate legacy fed to partnerships. - this is the primary reason why we ave not EOL'ed the legacy. I have been recommending that it is a good time to migrate a partnership when you update certificates
from Sid Mautte (CA) to Everyone:
The data that everyone is seeing is in Greem which means an Improvement.
from Sid Mautte (CA) to Everyone:
Green that is.
from Herb Mehlhorn to Everyone:
@TC...were you able to see that?
from Aaron Berman to Everyone:
@josh.. no. You dont need apps to run behind the gateway to use session assurance.. you can continue to use your standard agent. we just redirect the user to the gateway to collect the device DNA and then redirect the user back.. similar to the way a cookie provider works
from TC to Everyone:
yes it was clear .. thanks
from Aaron Berman to Everyone:
@josh in fact session assurance works with older 6.x and 12.0 agents.. the agents do not need to be running 12.52
from Herb Mehlhorn to Everyone:
@TC....tx.
from Erick to Everyone:
just a question about the performance you shown.. this means that, in case we move to 12.6 fomr 12.52, we'll have 22% of improvmnet if we select windows, 139% in case of RedHat6 and 86% in case of RH7?
from Herb Mehlhorn to Everyone:
@TC...yes.
from Josh Coffman to Everyone:
Thanks Aaron. It sounds like we could centralize DDNA for the majority of our apps, and then when we have clusters of similar apps, we could put them behind a common gateway when time permits.
from Herb Mehlhorn to Everyone:
@erick...sorry let me be more specific
from Herb Mehlhorn to Everyone:
@erick...the comparison was from one version to another but on the same OS>
from Erick to Everyone:
ah ok
from Aaron Berman to Everyone:
@josh exactly.. if you want, when Kevin calls you tell him you want to have a call and we can do a 1:1 to talk about deploying it
from Erick to Everyone:
but... we have problem that we are in SOlaris and mandatory to move to RH
from Kristen Palazzolo (CA) to Everyone:
Get to know Abhishek from Cognizant in the latest Community Member Spotlight: https://communities.ca.com/docs/DOC-231169906
from Herb Mehlhorn to Everyone:
@erick...so if you go from 12.52 on RH6 to 12.6 on RH6 you will see 100%+ improvement in perf
from Kumar to Everyone:
Will 12.6 supports all the features which are in 12.52 sp1 cr04
from Erick to Everyone:
we don't know the difference in performance between Solaris and RH
from Aaron Berman to Everyone:
@erick 12.6 supports RHEL 6 and RHEL 7 policy servers.
from Aaron Berman to Everyone:
@kumar - Yes everything from 12.52 SP1 CR5 and lower is in 12.6
from Herb Mehlhorn to Everyone:
@erick ...if you go from RH6 on 12.5x to 12.6 on RH7 you will see 80%%+ improve
from Kristen Palazzolo (CA) to Everyone:
If you haven't registered for CA World yet, you can still save $700 by getting a FLASH PASS! Learn more: https://communities.ca.com/community/ca-world/blog/2016/09/26/new-ca-world-16-flash-pass-available-save-700
from Kumar to Everyone:
tnx Aaron
from Erick to Everyone:
tks it is clear now. But... We are in 12.52 with Solaris and moving to 12.6 we have to move to RH. Is there any confront between solaris and RH? We don't know if moving to 12.6 RedHat will improve our SSO (without thinking to the changes of the SSO same)
from Herb Mehlhorn to Everyone:
@erick...I am not sure we have that comparison yet...do expect you will see improvement, but will depend on hw specs between the two. shoot me an email on side and let me see if I can get you a thumbnail esitmate.
from Herb Mehlhorn to Everyone:
herbert.mehlhorn@ca.com
from Erick to Everyone:
tnks yes, sure
from Kristen Palazzolo (CA) to Everyone:
CONTEST: Have a pressing business challenge or problem? Share it with us for a chance to win 1 of 3 iPads! http://bit.ly/2dabYW1.
from Colleen Doyle (CA Edu) to Everyone:
Check out what's new with CA Education: http://roojoom.ca.com/r/37610/
from Kristen Palazzolo (CA) to Everyone:
15 minutes left! Get your final questions in now!
from Kumar to Everyone:
Will 12.6 comes with a report server (alternate of cabi 4.x)
from Herb Mehlhorn to Everyone:
@kumar...if your organization was a customer of CA SSO prior to April 1, 2016 then you can use 12.6 wiht CABI 4.x...
from Kumar to Everyone:
How about the new customers ?
from Kumar to Everyone:
do we have any alternate solution for reports ?
from Herb Mehlhorn to Everyone:
@kumar, we will continue to support CABI 4.x
from Kumar to Everyone:
I mean for 12.6 version
from Herb Mehlhorn to Everyone:
@kumar...he path we are taking in CA SSO is rather than bundling 3rd party report server in CA SSO directly our strategy is to have customers leverage their corporate BI system and be able to use CA SSO data being published and then avail for their std. corp BI solution.
from Kumar to Everyone:
@herb, noted with thanks
from Tony D.Q. Pham to Everyone:
for 12.6, have you test it with Directory 12.5 SP18 ?
from Herb Mehlhorn to Everyone:
@tony...yes we did. in fact as a SSO customer you are able to download SP18 for use at Session store, policy store.
from Tony D.Q. Pham to Everyone:
@Herb, is/are there any special schema file(s) that i need
from Herb Mehlhorn to Everyone:
@tony...i believe that is still needed...I can send you the link for it.
from Tony D.Q. Pham to Everyone:
@Herb, thx
from Herb Mehlhorn to Everyone:
@tony...expect it 10 mins after the office hours conclude..
from Aaron Berman to Everyone:
@tony -- Directroy 12.5 (ships hopefully in October) has a REST API for modifying schema. whaen that ships we can look at programmaticaly inserting the schema into CA DIr
from Tony D.Q. Pham to Everyone:
teh Oct. from what i understand, is for SP19
from Aaron Berman to Everyone:
@Tony, no.. we are releaseing directroy as 12.5 with a new REST based UI
from Tony D.Q. Pham to Everyone:
so 12.5 SP0 ?
from Aaron Berman to Everyone:
@tony - no longer are we allowed to do new features in a SP release
from Aaron Berman to Everyone:
@tony yes
from Tony D.Q. Pham to Everyone:
ok, i receive wrong info from my colleague. thx. will look into that.
from Aaron Berman to Everyone:
@tony the new ui is really nice.. it is not the same as the SSO framework UI it is built on a nice web 2.0 architecture
from Tony D.Q. Pham to Everyone:
however, i only use Directory for SM PStore, nothing else. no bells/whistle, but will look to see how can i benefit from 12.5 (Oct release)
from Tony D.Q. Pham to Everyone:
yes, the new UI seem to be easy to navigate, and the color is subtle
from Aaron Berman to Everyone:
@tony when you get it it is much easier to do administrative work - setup replication, setup routers, ETc.
from Kristen Palazzolo (CA) to Everyone:
Ok - that's all the time we have for today!
from Tony D.Q. Pham to Everyone:
@Aaron, oh, you were talking about the UI for Directory, aren't you? i was talking about SM WAM UI :)
from Kristen Palazzolo (CA) to Everyone:
I will post the chat transcript to the CA Security Community later today.

from Tony D.Q. Pham to Everyone:
thx
from Aaron Berman to Everyone:
@tony yes the new directroy UI.... the SSO UI has been impreoved upon in 12.6 from a performance perspective but is a similar architecture

from Kristen Palazzolo (CA) to Everyone:
Thanks everyone!

Attachments

    Outcomes