How to integrate Azure MFA with CA SSO 12.7 ?
And how to map Azure Active Directory with CA SSO?
One approach that I have seen is to use Radius Authentication (or XAuthRadius) from CA SSO.
Azure MFA Radius Authentication
Azure MFA synchronization between on premise and cloud – Customer Feedback for Microsoft Azure
RADIUS Authentication and Azure MFA Server | Microsoft Docs
Use existing NPS servers to provide Azure MFA capabilities | Microsoft Docs
CA SSO OOB Radius Authentication
RADIUS CHAP PAP Authentication Schemes - CA Single Sign-On - 12.8 - CA Technologies Documentation
CA SSO XAuthRadius
CA Global Delivery Packaged Work Product Download Index - CA Technologies
How to map Azure Active Directory with CA SSO?
CA SSO would connect to an on premise AD as Identity Store, you'll need to configure sync between the on premise AD and Azure AD on Cloud.
Connect Active Directory with Azure Active Directory. | Microsoft Docs
Thanks for sharing the information but my requirement is to integrate Azure MFA with CA SSO 12.7 protected applications, so when any user try to access any app it should go for MFA.
Irrespective of the CA SSO version (R12.52 / R12.7 / R12.8); bottemline is .....
There is no direct integration with Azure MFA (MultiFactor Authentication) from any CA SSO version e.g. using a 302 redirect from CA SSO Authentication Scheme to Azure MFA (MultiFactor Authentication).
The simpler supported way that I know of is going the Radius route. Here is how I envision the flow to be.
Here in this link, there is a high level explanation.
Have we reached out to Azure MFA User Forums and asked the same question, just for surety / reassurance, on how Microsoft recommends using Azure MFA in conjunction with 3rd Party Access Management Products. I'd do that as well to see Microsoft's perspective as well.
Really thankful for the above information, one more thing I want to confirm - is it possible to use SAML instead of webagent in this case as we have to integrate CyberArk with CA SSO and it will use MFA.
This question is out of context in this thread. Always open a new thread for a new question. I raised a new one for this new question being asked.
integrate CyberArk with CA SSO and it will use MFA
Need more clarification on the role of CA Policy server and NPS - which will act as Radius server ?
Second thing - How NPS will communicate with Azure MFA and what will be the method used to validate the user/token.
I have explained it in high level in above thread what role CA SSO WebAgent, CA SSO Policy Server, NPS would play.
Policy Server would be the client making a call to Radius Server. The Question I'd ask Microsoft is which component on their end will handle the radius request originating from CA SSO Policy Server. The way I'm envisioning this based on quick reads is, the Role of the Radius Server can be done either by the NPS Extension OR an on Premise MFA Server.
When you say "CA SSO Policy Server will make a call to NPS using Radius Protocol to validate the Token" you mean Ca SSO Policy Server acting as a Radius client(by default it is not) with Challenge/response support correct? which inturn needs a GD XAuthRadius. Please clarify.
For a simple PoC just to prove that the integration works, we may be able to achieve that using the "radius server authentication scheme" which is shipped OOB with CA SSO Policy Server.
For all the advanced use cases, Yes we need the XAuthRadius (which is separately licensed in addition to CA SSO license) deployed on CA SSO Policy Server.
Arun, We don't know your detailed business requirements. But, in addition to the above provided by Hubert, this may be of interest from the integration point of view.
Single Sign-On to Microsoft Azure - CA Single Sign-On - 12.7 - CA Technologies Documentation
CA Single Sign-On enables single sign-on between enterprise users and the Microsoft Azure cloud solution. Federating to Microsoft Azure removes the burden of hosting services locally. For example, an enterprise user logs in to an application but is unaware that the application is in the cloud. The sign-in experience with Microsoft Azure is the same as if that user is connected to an on-premise application.
Rgds. - Vijay
Retrieving data ...