Symantec Access Management

We are using R12.7 SSO Policy Server with R12.7 Access Gateway in client's environment and now requirement is to do O365 integration using federation services with CA Access Gateway. Some of the queries below if someone can help:

For Poc:

1) Can we do POC with Microsoft Test Tennat which has one month free subscriptiop. Also For doing POC with Test Tennat, do we need to register Domain for test tennat with ISP.

2) Can we do POC without user sync, like manual approch of adding test user in Azure AD with same attributes.

For Actual Implementation:

1) Do we really need "DMZ Proxy" and STS services on Internet if organization want O365 access to be restrcited to with in the network only. I understand this is not a good option but somehow business want this way.

2) Do we really need to do separate setup for IWA (Integrated Windows Authentication) that uses NTLM ?? The reason I am asking is, I can see in documentation that STS needs to be enabled with IWA using KDC with below steps:

Configure the CA Access Gateway Administrative UI.
a.Open the CA Access Gateway Administrative UI, navigate to Web Services, and Security Token Service.
b.Configure the following fields in the STS IWA Configuration section:

KDC Address: Defines the fully qualified domain name and port of the KDC.

Kerberos Realm: Defines domain name of the KDC machine.

Keytab: Defines the path to the Keytab file that you generated.

Principal: Defines the Service Principal Name (SPN) value that a client uses to uniquely identify a service instance. Example, HTTP/casso-sps.caofficedemos.com

Where,

HTTP: Indicates the service name.

casso-sps.caofficedemos.com: Indicates the CA Access Gateway fully qualified host name.

3) How the solution work for Mobile users ?

Any further guidance for O365 integration will be of great help. 

Thanks,

Sachin

Sachin sacgoyal

REFERENCE : 

Microsoft Office 365 - CA Single Sign-On - 12.8 - CA Technologies Documentation  

Single Sign-on to Office 365 - CA Single Sign-On - 12.8 - CA Technologies Documentation  

Passive Profile : SAP Portal Services  

Dear Hubert,

Thanks for the detailed reply and it helped a lot. I would appreciate if you can provide your view on below follow up queries:

Also Solution scope is to have "Active Profile" with Deskop SSO for business users:

1) As we have to do this integration with Active profile with windows authentication scheme, Can we use native NTLM IWA setup OR do we really need kerbros authentication here as mentioned in below step. Also if we go with kerbros then do we need to do seperate setup for IWA on Windows / IIS servers ?

Configure the CA Access Gateway Administrative UI.
a.Open the CA Access Gateway Administrative UI, navigate to Web Services, and Security Token Service.
b.Configure the following fields in the STS IWA Configuration section:

KDC Address: Defines the fully qualified domain name and port of the KDC.

Kerberos Realm: Defines domain name of the KDC machine.

Keytab: Defines the path to the Keytab file that you generated.

Principal: Defines the Service Principal Name (SPN) value that a client uses to uniquely identify a service instance. Example, HTTP/casso-sps.caofficedemos.com

Where,

HTTP: Indicates the service name.

casso-sps.caofficedemos.com: Indicates the CA Access Gateway fully qualified host name.

2) For Mobile Users, we have below two use case:
a) Mobile user access from internet --> In this case, how IWA will work ?
b) Mobile user access with MaaS360(Mobile VPN for organization) --> again how IWA / Authentication will work in this case.

Once again in last, I am still confused whether we need to do complete IWA as seperate setup on windows IIS servers for O365 integration that use Native NTLM approch and do we need any seperate license for IWA setup ?

Sachin sacgoyal

Dear Hubert,

Thanks for making it very simple for me and its really helpful. So in total we already have i) SSO Policy Server 12.7 on linux and ii) CA Access Gateway 12.7 on linux and our requirement is to have O365 integration with desktop SSO and from the comments what I can conclude is:

1) We need to have STS exposed to internet and this can be done either putting CA AG in DMZ or have a apache proxy in DMZ and which forward the request to CA AG STS services.

2) Since CA AG is installed on linux so it need Kerbros. No need of seperate IWA setup. 

So now, for mobile users from internet, since CA AG on linux and it doesn't support fallback on forms so how the solution will work. Is there any alternative other than installing CA AG on windows ? Actually we already have the CA AG on linux so customer wouldn't want to go to windows. 

Also pls note, we have other integrations working with same Access Gateway like S.Now, Successfactor & many others so enabling CA AG with kerbros will not make any impact to existing applications ? is that correct or do we really need separate Access Gateway for O365 integration. 

This would be my last query and I will be thankful to you if you can spend few mins to answer it.

Regards,

Sachin 

Sachin sacgoyal

I'd say its best we engage CA Services beyond this as it would be beneficial to design this right.

Hi Hubert,

Thanks for detailed clarification and we have recommended customer to have the solution reviewed by CA Services. 

In the mean time, there is a ask that can we enable MFA (OTP based) for O365 integrations specially the browser based scenarios.

Regards,

Sachin 

Sachin sacgoyal

MFA (OTP based) for Passive Profile is fine. However when we do so we also need to thinking ahead (for e.g. enabling Active Profile in future).

As for the question, It is enabling a relevant Authentication Scheme (for e.g. Radius OR XAuthRadius) and associating that with the Authentication URL in Partnership.

So it really depends what kind of MFA (X509, Radius, 3rd Party Product Integration) and for which segment of users (Intranet OR Internet OR both).

Regards

Hubert