Chat Transcript: Office Hours for CA Advanced Authentication [JANUARY 2017]

Document created by kristen.palazzolo Employee on Jan 31, 2017
Version 1Show Document
  • View in full screen mode

from Kristen Palazzolo (CA) to Everyone:
@Rama Welcome to Office Hours!
from Kristen Palazzolo (CA) to Everyone:
@Rajesh Hello! How are you today?
from rajesh srivastava to Everyone:
HI , I am good, thanks!
from Rama to Everyone:
Thank you
from Kristen Palazzolo (CA) to Everyone:
Welcome to Office Hours for CA Advanced Authentication!
from Kristen Palazzolo (CA) to Everyone:
My name is Kristen, your CA Community Manager.
from Kristen Palazzolo (CA) to Everyone:
Product experts are standing by to answer your questions about Advanced Authentication in real-time, so ask away!
from Kristen Palazzolo (CA) to Everyone:
Who's got the first question today?
from rajesh srivastava to Everyone:
We are using SiteMinder R12.52 SP1 CR6 for federation with external clients and internal applciations. We have a requirement for OTP type Authentication which I believe CA Advanced Authenticaion does. I am not able to find any proper document which details how to use CA Advanced Authentication with SiteMInder
from Martin Yam to Everyone:
hi, the integratinon between SSO and AA, which does support OTP is via an adaptor.
from Martin Yam to Everyone:
this is documented in the AA documnetation at docops.ca.com/aa
from Martin Yam to Everyone:
search for adaptor
from Martin Yam to Everyone:
here is the link
from Martin Yam to Everyone:
https://docops.ca.com/ca-advanced-authentication/8-2/en/installation/ca-adapter-installation/introduction-to-ca-adapter
from Martin Yam to Everyone:
it is basically an auth scheme that integrates AA authentication into SSO
from Aldwin to Everyone:
Is is possible to leverage the OTP feature of AA from another application. For example, I have a web application with forms auth, use my desktop OTP client to generate an OTP, and have my web application validate the OTP using the AA api.
from Kristen Palazzolo (CA) to Everyone:
Don't forget to follow the *new* CA Advanced Authentication subspace of the CA Security Community: https://communities.ca.com/community/ca-security/ca-advanced-authentication/activity
from Martin Yam to Everyone:
yes there is an api to authenticate an OTP
from Kristen Palazzolo (CA) to Everyone:
@Aldwin Welcome to Office Hours!
from Kristen Palazzolo (CA) to Everyone:
@Namish Hello! Welcome!
from Kristen Palazzolo (CA) to Everyone:
Any other questions?
from Aldwin to Everyone:
I'm good.
from rajesh srivastava to Everyone:
Nothing from my side for today. I have to now configure it at my end
from rajesh srivastava to Everyone:
THanks everyone
from Aldwin to Everyone:
Thanks
from Kristen Palazzolo (CA) to Everyone:
@Rama - Are you still there?
from Rama to Everyone:
yes, and thank you for the links
from Kristen Palazzolo (CA) to Everyone:
@Rama Is there anything else we can help you with today?
from Rama to Everyone:
No, I am good
from Kristen Palazzolo (CA) to Everyone:
@Rama - Ok! Let us know if you have anymore questions. And, don't forget to follow the CA Advanced Authentication Community: https://communities.ca.com/community/ca-security/ca-advanced-authentication/activity
from Rama to Everyone:
Sure. Thank you
from Kristen Palazzolo (CA) to Everyone:
@Vikram Welcome to Office Hours!
from Vikram Mullachery to Everyone:
Hi All, architecturally where do you recommend we place the Adv Auth Servers? (e.g. DMZ, internal etc.)?
from Vikram Mullachery to Everyone:
@Kristen, thank you
from Martin Yam to Everyone:
the actual AA servers should be behind your firewalls.
from Martin Yam to Everyone:
the AFM is typically placed in the DMZ to proxy info back to the auth servers
from Vikram Mullachery to Everyone:
@Martin - thank you. Has CA ever used the CA SPS (or Access Gateway) to front the AFM? Is that workable combination?
from Namish to Everyone:
@Vikram,
from Martin Yam to Everyone:
can you provide more details on this question. the AFM and SPS are two different executables that do two very different things
from Namish to Everyone:
You can use Web servers in front of the AFM which is normally deployed in some servlet container
from Vikram Mullachery to Everyone:
oh ok, great. Because CA Access Gateway does not offer certain features of a regular web server, such as content-cache etc. - hence the question
from Kristen Palazzolo (CA) to Everyone:
10 minutes left! Get your final questions in now!
from Vikram Mullachery to Everyone:
In an CA Single Sign-On integrated situation, is there a mechanism for the terminate an ongoing user session (SMSESSION)?
from Vikram Mullachery to Everyone:
*for terminating
from Martin Yam to Everyone:
this is really an SSO question but here goes
from Martin Yam to Everyone:
if you are using the Session Assurance capability that integrates the AA deviceID into the SMSession cookie, you can terminate the session from SSO if you find a mismatch between original device at login and current device when checked
from Martin Yam to Everyone:
termination of the SM Session is a function of an action on the SSO side
from Kristen Palazzolo (CA) to Everyone:
Alright - that's all the time we have for today!
from Kristen Palazzolo (CA) to Everyone:
Thanks for joining. See you next time!

Attachments

    Outcomes