No Risk Authentication with Valid SMSESSION

Idea created by Prakhar.sood on Aug 18, 2016
    Not planned
    Score9
    • Joseph_Lutz
    • RobM
    • Prakhar.sood
    • SivaDesetti
    • CBertagnolli
    • Josh Perlmutter
    • Mukund Kalidasa Mallar
    • losru01
    • AndyCaprio


    Hi Team,

     

    When user comes with a valid SMSESSION, RiskEvaluation is never triggered

     

    On working on the integration of CA Siteminder and CA Risk Authentication, we noticed that if a user moves from an Application A which is Siteminder protected to Application B which is using Custom Auth Scheme (Initiating Risk Evaluation), the User Risk is never evaluated as the Custom Auth Scheme for application B is not triggered.

     

    The only workaround to this is to increase the Siteminder Auth Levels, which is not a great way to achieve this as it loses end user experience and makes user to enter his id/password again.

     

    We just want his Secondary Authentication to be triggered if its set for a specific application.

     

    There are 2 Use-Cases to this scenario which are failing:

    UC-1:

    Application A (Siteminder Basic Auth Scheme)

    Application B (Custom Auth Scheme - Riskminder Profile)

     

    If User logs in to A and moves to B, RiskEvaluation is not triggered

     

    UC-2:

    Application A (Custom Auth Scheme - Riskminder Profile -1)

    Application B (Custom Auth Scheme - Riskminder Profile - 2)

     

    If User logs in to A and moves to B, RiskEvaluation ruleset for Profile -2 is never triggered.

     

    This looks to be serious issue and needs to be addressed in the future releases.

     

     

     

    Regards,

    Prakhar