Previous Topic: Assign User Directories to the Tenant DomainNext Topic: Create the Policy to Protect the Authentication URL

Single Sign-On ServiceSSO Getting Started GuideConfigure and Apply an OAuth Authentication SchemeUse the Authentication Scheme in a PolicyConfigure a Realm and a Rule for the Tenant Domain

Configure a Realm and a Rule for the Tenant Domain

A realm groups resources that have similar security requirements and share a common authentication scheme. For the tenant domain, create a realm and associate it with a Web Agent.

Note: The following procedure assumes that you are creating an object. You can also copy the properties of an existing object to create an object.

Follow these steps:

  1. Click Policies, Domain, Realms.

    The Realms page appears.

  2. Click Create Realm.
  3. Select the tenant domain that you want to modify, and click Next.
  4. Type the name and a description of the realm.

    Specify a name that indicates the realm is for an SSO authentication URL. For example:

  5. Click Lookup Agent/Agent Group to select an agent.
  6. Select the cam-agent and click OK.
  7. Specify the Resource Filter for the authentication scheme you are using. This scheme has to tie in to the authentication method chosen in the User Console configured and applied to the application.

    The following list includes the resource filter for all available authentication schemes for cloud SSO. Use the resource filter for your authentication scheme.

    For HTML Forms authentication

    For environments created in CA CloudMinder 1.51 or later:

    /chs/redirect/tenant_tag/forms

    For environments created before CA CloudMinder 1.51:

    /affwebservices/<tenant-name>/forms.jsp

    For OpenID authentication

    /affwebservices/tenant_tag/duplicate_openid_file.jsp

    Copy the default openid.jsp file to a unique name, such as openid-google.jsp. Having a unique jsp file is necessary to distinguish openID configurations.

    For OAuth authentication

    /affwebservices/tenant_tag/duplicate_oauth_file.jsp

    Copy the default oauth.jsp file and give the copy a unique name, such as oauth-google.jsp or oauth-facebook.jsp. Having a unique jsp file is necessary to distinguish OAuth configurations.

    For Arcot PKI authentication scheme

    For environments created in CA CloudMinder 1.51 or later:

    /chs/redirect/tenant_tag/arcotid

    For environments created before CA CloudMinder 1.51:

    /affwebservices/<tenant-name>/arcotid.jsp

    For Arcot OTP authentication scheme

    For environments created in CA CloudMinder 1.51 or later:

    /chs/redirect/tenant_tag/arcototp

    For environments created before CA CloudMinder 1.51:

    /affwebservices/<tenant-name>/arcototp.jsp

    For Arcot PKI Risk authentication scheme

    For environments created in CA CloudMinder 1.51 or later:

    /chs/redirect/tenant_tag/arcotidrisk

    For environments created before CA CloudMinder 1.51:

    /affwebservices/<tenant-name>/arcotidrisk.jsp

    For Arcot OTP Risk authentication scheme

    /chs/redirect/tenant_tag/arcototp_risk

    For environments created in CA CloudMinder 1.51 or later:

    /chs/redirect/tenant_tag/arcototprisk

    For environments created before CA CloudMinder 1.51:

    /affwebservices/<tenant-name>/arcototprisk.jsp

    tenant_tag is a unique identifier for a tenant. You specify the tag when deploying a tenant environment in the CSP console. To view a list of tags, select the Tenants tab.

  8. Complete the remaining fields:
    Default Resource Protection

    Protected

    Authentication Scheme

    Select the authentication scheme that you configured for the SSO application and the scheme that corresponds to the resource filter. For example, if you are using OpenID and you configured a scheme named OpenID Auth, select that scheme.

  9. Create a rule:
    1. Specify a name for the rule.

      For example, if Google is the OAuth provider, name the rule oauth_googlerule. If Facebook is the OAuth provider, name the rule oauth_facebookrule.

    2. In the Realm and Resource area, edit the Resource value by deleting the forward slash (/) character.

      Important! The Resource value is now the asterisk (*) character only.

    3. In the Action area, select Web Agent actions.
    4. Under Action, control-click to multi-select GET, HEAD, and POST.
    5. Accept the defaults for the remaining settings.
    6. Click Ok.
  10. Specify the session properties.

    Note: Click Help for a description of fields, controls, and their respective requirements.

  11. Skip the other configuration options.
  12. Click Finish.

    The realm is complete.