Single Sign-On Service › SSO Getting Started Guide › SSO using a Third-party IdP and Self-registration › Create the Authentication Method

Create the Authentication Method

An authentication method represents how an application is protected. After you configure an authentication method, you assign it to the application you want to protect. Multiple applications can use the same authentication method. A single application can reference multiple authentication methods.

Configure an authentication method that satisfies the protection requirements for an application.

Note: The system creates authentication methods corresponding to each of the advanced authentication flows. If you are configuring Advanced Authentication for the tenant, do not create an authentication method. Modify the existing authentication method as described in this procedure.

Follow these steps:

1. Log in to the User Console.
2. Navigate to Applications, Authentication Methods, Create an Authentication method.
3. In the top section of the Create Authentication method screen, complete the following fields:

   Name

   Enter a string that identifies the authentication method you are configuring.

   Description

   Enter a description for the authentication method. The login page displays this description as a label.

   Enabled

   Select this check box to make the authentication method immediately available.

4. In the Configure Authentication Method section, select one of the following options and enter the authentication URL for that option.

   When the authentication method is associated with an application, the authentication service appends the redirect URL for the application.

   Note the following variables in the URLs:

   cloud_host is the CA CloudMinder system.

   local_entity_ID is the name of the local entity that is specified in the IdP-to-SP partnership, which is configured at the CSP console.

   remote_entity_ID, consumer_entity_ID or resource_partner_ID is the name of the remote entity that is specified in the configuration of the asserting-to-relying party partnership. The partnership is configured at the CSP console.

   Basic

   Represents a form-based authentication scheme that uses the basic credentials of a user name and a password. The basic authentication method corresponds to the HTML Forms authentication scheme in the CSP console.

   Enter the authentication URL of the following format:

   http://cloud_host:port/affwebservices/tenant_tag/forms.jsp

   tenant_tag is a unique identifier for a tenant. You specify the tag when deploying a tenant environment in the CSP console. To view a list of tags, select the Tenants tab.

   External IDP—Google or Facebook

   Represents a third-party identity provider (IdP) that authenticates users. Social media sites, such as Google or Facebook can serve as external IdPs. Other federated partners that support the SAML and WS-Federation protocols can also serve as external IdPs.

   If Google or Facebook is acting as the third-party IdP, specify the OpenID or OAuth authentication method. Each site supports both protocols.

   Enter the relevant URL for the protocol, as shown:

   OpenID

   http://cloud_host:port/affwebservices/tenant_tag/duplicate_openid_file.jsp

   When configuring the OpenID authentication scheme at the CSP console, the default openid.jsp file is copied and given a unique name, such as openid-google.jsp. Having a unique jsp file is necessary to distinguish OpenID configurations.

   The default JSP file is located in the directory /opt/CA/secure-proxy/Tomcat/webapps/affwebservices/redirectjsp.

   OAuth

   http://cloud_host:port/affwebservices/tenant_tag/duplicate_oauth_file.jsp

   When configuring the OAuth authentication scheme in the CSP console, the default oauth.jsp file is copied and given a unique name, such as oauth-google.jsp. Having a unique jsp file is necessary to distinguish OAuth configurations.

   The default JSP file is located in the directory /opt/CA/secure-proxy/Tomcat/webapps/affwebservices/redirectjsp.

   tenant_tag is a unique identifier for a tenant. You specify the tag when deploying a tenant environment in the CSP console. To view a list of tags, select the Tenants tab.

   External IDP—Other

   Select Other when a SAML or WS-Federation-compliant partner is the IdP. The federation profiles SAML 1.1, SAML 2.0, and WS-Federation 1.2 are all supported.

   Enter the relevant URL for the protocol, as shown.

   For SAML 1.1 transactions http://cloud_host.domain:port/affwebservices/public/intersitetransfer?CONSUMERID=consumer_entity_ID&TARGET=http://consumer_site/target_url

   For SAML 2.0 SP-initiated transactions

   http://cloud_host.domain:port/affwebservices/public/saml2authnrequest?ProviderID=local_entity_ID&RelayState=http://sp_site/target_url

   For SAML 2.0 IdP-initiated transactions

   http://cloud_host.domain:port/affwebservices/public/saml2authnrequest?SPID=remote_entity_ID&RelayState=http://sp_site/target_url

   For WS-Federation IP-initiated transaction

   http://cloud_host.domain:port/affwebservices/public/wsfeddispatcher?wa=wsignin1.0&wtrealm=resource_partner_ID&wctx=target_url

   Advanced Authentication

   Represents one of the authentication protocols that the CA CloudMinder Advanced Authentication Service provides.

   Select one of the following options and the URL is entered automatically:

   For ArcotID PKI Only

   https://cloud_host:port/affwebservices/tenant_tag/arcotid.jsp

   For ArcotID PKI with Risk

   https://cloud_hostost:port/affwebservices/tenant_tag/arcotidrisk.jsp

   For ArcotID OTP Only

   https://cloud_host:port/affwebservices/tenant_tag/arcototp.jsp

   For ArcotID OTP with Risk

   https://cloud_host:port/affwebservices/tenant_tag/arcototprisk.jsp

   tenant_tag is a unique identifier for a tenant. You specify the tag when deploying a tenant environment in the CSP console. To view a list of tags, select the Tenants tab.

5. Click Submit.

The authentication method is available to protect an application.