Single Sign-On Service › SSO Getting Started Guide › Enable Domain Users to Access Applications Without Reauthenticating

Enable Domain Users to Access Applications Without Reauthenticating

Home realm detection enables users who have authenticated with their domain credentials to log into a target application without needing to select an identity provider on the CA CloudMinder login page.

For example, your company uses Google Apps, a software resource outside of your network environment. Users who have logged into the network with domain credentials should be able to access Google Apps without having to select an identity provider in the CA CloudMinder login page.

How Home Realm Detection Works

The following steps describe the process that takes place when home realm detection is enabled.

1. A user accesses a URL for an application that CA CloudMinder protects.

   The user is already logged into the corporate domain.

2. The proxy at the corporate site intercepts all requests that are directed to CA CloudMinder and injects the following header:

   ONPREM_AUTH_METHOD = authentication method name.

   authentication method name

   The name of the authentication method object in the User Console. The authentication method is associated with the application that the user is trying to access in the User Console.

3. CA CloudMinder receives the request with the header from the proxy and determines that the specified authentication method is associated with the particular application being accessed. CA CloudMinder redirects the user to the target application instead of the CA CloudMinder login page.

Enable Home Realm Detection

You enable home realm detection in the corporate proxy server.

Prerequisites:

• A proxy server that can intercept traffic to CA CloudMinder and insert a header into an HTTPS connection is installed and running.
• A partnership is configured between <stmdr>, installed at the corporate site, which acts as the external IdP and CA CloudMinder, which acts as the SP.
• CA CloudMinder protects the application that users want to access without having to reauthenticate. The application is defined in the User Console as follows:
  • The application definition is associated with an authentication method in the User Console.
  • The authentication method includes a reference to the URL that users are directed to.
• You have the exact name of the authentication method that is associated with the application definition in the User Console.

Configuration:

Configure the proxy to insert a header into all requests for CA CloudMinder.

The header resembles the following example:

ONPREM_AUTH_METHOD = authentication method name.

authentication method name

The name of the authentication method object in the User Console.

In the following example, the authentication method object name is Test123.

The method for configuring the proxy server to insert a header depends on the proxy server that you are using. The following text illustrates a sample configuration for Fiddler, which is simulating proxy functionality:

if(oSession.HostnameIs("cloudMinder.domain.com")){

 	oSesssion.oRequest["ONPREM_AUTH_METHOD"] = "Test123";

}

Note: For information on inserting headers into requests, see the documentation for your proxy server.

Example: How to Configure Home Realm Detection for Google Apps

The following example describes how to enable domain users at Forward, Inc. to access Google Apps without having to select an authentication method in the CA CloudMinder login screen.

This example assumes the following configuration:

• Corporate users are part of an Active Directory domain, and authenticate using Integrated Windows Authentication (IWA)
• CA SiteMinder is installed at the corporate site, and serves as the IdP in a SAML2 partnership. CA CloudMinder is the SP.

  In CA SiteMinder, the following configuration is defined:

  • IWA authentication is enabled.
  • The following resource is protected by IWA authentication:

    /affwebservices/redirectjsp/redirect.jsp

  • The resource URL above is specified as the Authentication URL in the partnership, as follows:

    https://test.forwardinc.com/affwebservices/redirectjsp/redirect.jsp

• CA CloudMinder also acts as the IdP in a federated partnership with Google Apps (the SP).

  In this partnership, the following configuration exists:

  • The Delegated Administration URL is the URL for the target application.

    https://domain/chs/login/tenant_name/application in User Console

    For example:

    https://test2.cloud.com/chs/login/ForwardInc/GoogleApps

  • The SSO Service URL for the partnership resembles the following:

    https://domain/affwebservces/public/saml2sso?SPID=SPID of target application

    For example:

    https://test2.cloud.com/affwebservces/public/saml2sso?SPID=google.com/a/ggl.test.com

    This URL must match the Launch URL that you define in the application.

• A proxy server that can intercept traffic to CA CloudMinder and insert a header into an HTTPS connection is installed and running at the corporate site.

Follow these steps:

1. Create authentication method.
2. Create an application.
3. Configure the on-premise proxy.