No Risk Authentication with Valid SMSESSION

Idea created by Prakhar.sood on Aug 18, 2016
    Not planned
    • Joseph_Lutz
    • RobM
    • Prakhar.sood
    • SivaDesetti
    • CBertagnolli
    • Josh Perlmutter
    • Mukund Kalidasa Mallar
    • losru01
    • AndyCaprio

    Hi Team,


    When user comes with a valid SMSESSION, RiskEvaluation is never triggered


    On working on the integration of CA Siteminder and CA Risk Authentication, we noticed that if a user moves from an Application A which is Siteminder protected to Application B which is using Custom Auth Scheme (Initiating Risk Evaluation), the User Risk is never evaluated as the Custom Auth Scheme for application B is not triggered.


    The only workaround to this is to increase the Siteminder Auth Levels, which is not a great way to achieve this as it loses end user experience and makes user to enter his id/password again.


    We just want his Secondary Authentication to be triggered if its set for a specific application.


    There are 2 Use-Cases to this scenario which are failing:


    Application A (Siteminder Basic Auth Scheme)

    Application B (Custom Auth Scheme - Riskminder Profile)


    If User logs in to A and moves to B, RiskEvaluation is not triggered



    Application A (Custom Auth Scheme - Riskminder Profile -1)

    Application B (Custom Auth Scheme - Riskminder Profile - 2)


    If User logs in to A and moves to B, RiskEvaluation ruleset for Profile -2 is never triggered.


    This looks to be serious issue and needs to be addressed in the future releases.