AnsweredAssumed Answered

SSO from Google OAuth to CA SSO protected apps problematic

Question asked by Vlad on Nov 13, 2018
Latest reply on Dec 4, 2018 by CBertagnolli

I have an existing site A protected with CA SSO Web Agent with DirA using username attribute for user disambiguation and DirB for user authorization. DirA is mapped to DirB by UniversalId (cn).

Now I implemented Google OAuth 2.0 authentication. All social ids are stored in DirA ssoopenid multivalue attribute. Google sends customer's email in a claim. Policy Server can not disambiguate a user by email against DirA because DirA uses username to disambiguate not ssoopenid attribute. I need to createte DirC equal to DirA, but using ssoopenid attributefor disambiguation. Now, when browser is redirected from OAuth client to site A, a session created during OAuth authentication against DirC is not accepted by Site A, because CA SSO considers DirA != DirC.

 

How this is supposed to be resolved? Some OAuth AZ servers are not even returning email, but a random id, i.e.  MobileConnect. The whole OAuth user disambiguation should be done over a custom disambiguation parameter, not a generic one from a user directory.

 

Thanks,

Vlad

Outcomes