Symantec Access Management

Expand all | Collapse all

Azure MFA integration with CA SSO 12.7

  • 1.  Azure MFA integration with CA SSO 12.7

    Posted Sep 14, 2018 08:41 AM

    How to integrate Azure MFA with CA SSO 12.7 ? 

    And how to map Azure Active Directory with CA SSO?



  • 2.  Re: Azure MFA integration with CA SSO 12.7

    Posted Sep 14, 2018 09:14 AM

    How to integrate Azure MFA with CA SSO 12.7 ? 

     

    One approach that I have seen is to use Radius Authentication (or XAuthRadius) from CA SSO.

     

    Azure MFA Radius Authentication

    Azure MFA synchronization between on premise and cloud – Customer Feedback for Microsoft Azure 

    RADIUS Authentication and Azure MFA Server | Microsoft Docs 

    Use existing NPS servers to provide Azure MFA capabilities | Microsoft Docs 

     

    CA SSO OOB Radius Authentication

    RADIUS CHAP PAP Authentication Schemes - CA Single Sign-On - 12.8 - CA Technologies Documentation 

     

    CA SSO XAuthRadius

    CA Global Delivery Packaged Work Product Download Index - CA Technologies 

     

     

    How to map Azure Active Directory with CA SSO?

     

    CA SSO would connect to an on premise AD as Identity Store, you'll need to configure sync between the on premise AD and Azure AD on Cloud.

    Connect Active Directory with Azure Active Directory. | Microsoft Docs 



  • 3.  Re: Azure MFA integration with CA SSO 12.7

    Posted Sep 18, 2018 03:14 AM

    Hi Hubert,

     

    Thanks for sharing the information but my requirement is to integrate Azure MFA with CA SSO 12.7 protected applications, so when any user try to access any app it should go for MFA.



  • 4.  Re: Azure MFA integration with CA SSO 12.7

    Posted Sep 18, 2018 10:15 AM

    Arun ArunGoswami007

     

    Irrespective of the CA SSO version (R12.52 / R12.7 / R12.8); bottemline is .....

     

    • If SSO to Azure Cloud is needed, then we do federation (as per the link provided from CA SSO Documentation by Vijay).
    • If MFA to Azure MFA is needed, then one option is Radius Authentication.

     

    There is no direct integration with Azure MFA (MultiFactor Authentication) from any CA SSO version e.g. using a 302 redirect from CA SSO Authentication Scheme to Azure MFA (MultiFactor Authentication)

     

    The simpler supported way that I know of is going the Radius route. Here is how I envision the flow to be.

    • CA SSO will challenge the user for Credentials. CA SSO Web Agent will collect the user name / password / token.
    • CA SSO Policy Server will validate the username / password with onPremise AD.
    • CA SSO Policy Server will make a call to NPS using Radius Protocol to validate the Token.
    • NPS will speak with Azure MFA on Cloud to validate Token and pass a response back to CA SSO Policy Server.
    • CA SSO Policy Server based on the response back from NPS / Azure MFA; will take a final call whether user is authentication OR not.
    • If all is success, then CA SSO Policy Server would send IsAuthenticated() success to CA SSO Web Agent.

     

    Here in this link, there is a high level explanation.

    Use existing NPS servers to provide Azure MFA capabilities | Microsoft Docs 

     

    Have we reached out to Azure MFA User Forums and asked the same question, just for surety / reassurance, on how Microsoft recommends using Azure MFA in conjunction with 3rd Party Access Management Products. I'd do that as well to see Microsoft's perspective as well.

     

    Regards

    Hubert



  • 5.  Re: Azure MFA integration with CA SSO 12.7

    Posted Sep 19, 2018 08:00 AM

    Hi Hubert,

     

    Really thankful for the above information, one more thing I want to confirm - is it possible to use SAML instead of webagent in this case as we have to integrate CyberArk with CA SSO and it will use MFA.

     

    Thanks,

    Arun



  • 6.  Re: Azure MFA integration with CA SSO 12.7

    Posted Sep 19, 2018 09:29 AM

    Arun ArunGoswami007

    This question is out of context in this thread. Always open a new thread for a new question. I raised a new one for this new question being asked.

    integrate CyberArk with CA SSO and it will use MFA 



  • 7.  Re: Azure MFA integration with CA SSO 12.7

    Posted Oct 11, 2018 09:02 AM

    Hi Hubert,

     

    Need more clarification on the role of CA Policy server and NPS - which will act as Radius server ?

    Second thing - How NPS will communicate with Azure MFA and what will be the method used to validate the user/token.

     

    Thanks,

    Arun



  • 8.  Re: Azure MFA integration with CA SSO 12.7

    Posted Oct 11, 2018 10:31 AM

    Arun ArunGoswami007

     

    I have explained it in high level in above thread what role CA SSO WebAgent, CA SSO Policy Server, NPS would play.

    Policy Server would be the client making a call to Radius Server.  The Question I'd ask Microsoft is which component on their end will handle the radius request originating from CA SSO Policy Server. The way I'm envisioning this based on quick reads is, the Role of the Radius Server can be done either by the NPS Extension OR an on Premise MFA Server.



  • 9.  Re: Azure MFA integration with CA SSO 12.7

    Posted Sep 18, 2018 08:04 PM

    Hubert,

     

    When you say "CA SSO Policy Server will make a call to NPS using Radius Protocol to validate the Token" you mean  Ca SSO Policy Server acting as a Radius client(by default it is not) with Challenge/response  support correct? which inturn needs a GD XAuthRadius.  Please clarify.



  • 10.  Re: Azure MFA integration with CA SSO 12.7

    Posted Sep 18, 2018 08:40 PM

    KB 

     

    For a simple PoC just to prove that the integration works, we may be able to achieve that using the "radius server authentication scheme" which is shipped OOB with CA SSO Policy Server.

     

    CA SSO OOB Radius Authentication

    RADIUS CHAP PAP Authentication Schemes - CA Single Sign-On - 12.8 - CA Technologies Documentation 

     

     

    For all the advanced use cases, Yes we need the XAuthRadius (which is separately licensed in addition to CA SSO license) deployed on CA SSO Policy Server.

     

     

    CA SSO XAuthRadius

    CA Global Delivery Packaged Work Product Download Index - CA Technologies 



  • 11.  Re: Azure MFA integration with CA SSO 12.7

    Broadcom Employee
    Posted Sep 17, 2018 10:02 AM

    Arun, We don't know your detailed business requirements. But, in addition to the above provided by Hubert, this may be of interest from the integration point of view. 

     

    Single Sign-On to Microsoft Azure - CA Single Sign-On - 12.7 - CA Technologies Documentation 

     

    CA Single Sign-On enables single sign-on between enterprise users and the Microsoft Azure cloud solution. Federating to Microsoft Azure removes the burden of hosting services locally. For example, an enterprise user logs in to an application but is unaware that the application is in the cloud. The sign-in experience with Microsoft Azure is the same as if that user is connected to an on-premise application.

     

    Rgds. - Vijay