Symantec Access Management

Expand all | Collapse all

CA advance auth integration with any 3rd part Strong Auth (goVerify ID)

  • 1.  CA advance auth integration with any 3rd part Strong Auth (goVerify ID)

    Posted Jun 18, 2018 02:31 PM

    Experts,

     

    We are implementing a solution in which the user experience is as below.

     

    1. The user accesses an application.
    2. Siteminder challenges the user with a form-based login page.
    3. The user provides credentials (1st-factor authentication) and the control is passed on to the CA adapter (CA advance authentication).
    4. The CA adapter (CA advance authentication) passes the control to a biometric (3rd party - let's say goVerifyID) for 2nd-factor authentication. 
    5. If biometric authentication is successful, the user is allowed to access the application.

     

    In the above scenario, the redirection to the 3rd party strong auth tool happens via CA adapter (CA advance authentication).

     

    Is the above implementation possible as I can see that CA advance authentication can be configured as an SP with any 3rd party strong auth tool as IDP. 

     

    Any pointers or suggestions around the above implementation or how can I achieve the above implementation?

     

    Appreciate your response.

     

    Thanks,

    Shivam



  • 2.  Re: CA advance auth integration with any 3rd part Strong Auth (goVerify ID)

    Broadcom Employee
    Posted Jun 18, 2018 04:07 PM

    Hi Shivam, 

     

    AA will always behave as an IDP because AA only authenticates. 

    Are you trying to configure AA as SP ?

     

    thanks

    awijit 



  • 3.  Re: CA advance auth integration with any 3rd part Strong Auth (goVerify ID)

    Posted Jun 19, 2018 03:35 AM

    Yes, we want to configure AA as SP so that authentication always happens at goVerifyID for biometric.



  • 4.  Re: CA advance auth integration with any 3rd part Strong Auth (goVerify ID)

    Posted Jun 19, 2018 03:37 AM

    The reason we want this to happen is that CA SSO doesn't have the capability to pass the control to 3rd party strong auth tool, therefore, we want CA advance auth to pass the control. The integration between all the components has to be tightly coupled. 

     

    Do we have any chain ldap authetication mechanism in CA SSO ?

     

    Thanks,

    Shivam



  • 5.  Re: CA advance auth integration with any 3rd part Strong Auth (goVerify ID)

    Broadcom Employee
    Posted Jun 19, 2018 11:21 AM

    Hi Shivam,

     

    AA can only be configured as IDP as we only create assertion for SP to consume since AA only authenticates.

    In your flow I don't see any use case where you will need to use federation. 

    Is your third party biometric software an IDP ? 

     

    thanks

    awijit 



  • 6.  Re: CA advance auth integration with any 3rd part Strong Auth (goVerify ID)

    Posted Jun 19, 2018 11:27 AM

    Is there any workaround you can think of in order to achieve the flow mentioned?



  • 7.  Re: CA advance auth integration with any 3rd part Strong Auth (goVerify ID)

    Posted Jun 19, 2018 11:27 AM

    Yes, the 3rd party biometric is configured as IDP over SAML therefore we were thinking that if AA can be configured as SP, the authentication request will always go to the 3rd party biometric software. In this case, CA AA will only be sending authentication request forward to 3rd party biometric tool and 1st factor of authentication is done by CA SSO.



  • 8.  Re: CA advance auth integration with any 3rd part Strong Auth (goVerify ID)

    Broadcom Employee
    Posted Jun 19, 2018 11:32 AM

    Your IDP will send the assertion to AA but AA will not be able to consume it because AA cannot be configured as SP. Therefore I believe even doing some customization on AA will not help as it does not have the code to consume an assertion. 

    Have you tried talking to CA Services. 



  • 9.  Re: CA advance auth integration with any 3rd part Strong Auth (goVerify ID)

    Broadcom Employee
    Posted Jun 19, 2018 11:33 AM

    I will wait for someone from CA Services to comment on this. 



  • 10.  Re: CA advance auth integration with any 3rd part Strong Auth (goVerify ID)

    Posted Jun 19, 2018 12:54 PM

    Cool thanks. Would you like to tag someone here in order to channel the query to the right forum/professional?



  • 11.  Re: CA advance auth integration with any 3rd part Strong Auth (goVerify ID)
    Best Answer

    Broadcom Employee
    Posted Jul 01, 2018 11:01 PM

    Hi,

     

    This could be possible with customization at AFM, provided proper API's are available for 3rd party bio metric solution.

     

    Here is the flow.

     

    - Application is protected with CA-SSO Advance Auth Scheme

    - If session not present User will be redirected to CA AFM(Adapter) after SM disambiguate User. 

    - AFM will be customized to perform the Biometric third Party API'calls to complete the bio metric validation

    - Based on API results User will be redirected to protected application.

     

    The complexity of customization is completely depends on the third party bio metric API's.