An authentication method represents how an application is protected. After you configure an authentication method, you assign it to the application you want to protect. Multiple applications can use the same authentication method. A single application can reference multiple authentication methods.
Configure an authentication method that satisfies the protection requirements for an application.
Note: The system creates authentication methods corresponding to each of the advanced authentication flows. If you are configuring Advanced Authentication for the tenant, do not create an authentication method. Modify the existing authentication method as described in this procedure.
Follow these steps:
Enter a string that identifies the authentication method you are configuring.
Enter a description for the authentication method. The login page displays this description as a label.
Select this check box to make the authentication method immediately available.
When the authentication method is associated with an application, the authentication service appends the redirect URL for the application.
Note the following variables in the URLs:
cloud_host is the CA CloudMinder system.
local_entity_ID is the name of the local entity that is specified in the IdP-to-SP partnership, which is configured at the CSP console.
remote_entity_ID, consumer_entity_ID or resource_partner_ID is the name of the remote entity that is specified in the configuration of the asserting-to-relying party partnership. The partnership is configured at the CSP console.
Represents a form-based authentication scheme that uses the basic credentials of a user name and a password. The basic authentication method corresponds to the HTML Forms authentication scheme in the CSP console.
Enter the authentication URL of the following format:
http://cloud_host:port/chs/redirectservlet/tenant_tag/forms
tenant_tag is a unique identifier for a tenant. You specify the tag when deploying a tenant environment in the CSP console. To view a list of tags, select the Tenants tab.
Represents a third-party identity provider (IdP) that authenticates users. Social media sites, such as Google or Facebook can serve as external IdPs. Other federated partners that support the SAML and WS-Federation protocols can also serve as external IdPs.
If Google or Facebook is acting as the third-party IdP, specify the OpenID or OAuth authentication method. Each site supports both protocols.
Enter the relevant URL for the protocol, as shown:
OpenID
http://cloud_host:port/affwebservices/tenant_tag/duplicate_openid_file.jsp
When configuring the OpenID authentication scheme at the CSP console, the default openid.jsp file is copied and given a unique name, such as openid-google.jsp. Having a unique jsp file is necessary to distinguish OpenID configurations.
The default JSP file is located in the directory /opt/CA/secure-proxy/Tomcat/webapps/affwebservices/redirectjsp.
OAuth
http://cloud_host:port/affwebservices/tenant_tag/duplicate_oauth_file.jsp
When configuring the OAuth authentication scheme in the CSP console, the default oauth.jsp file is copied and given a unique name, such as oauth-google.jsp. Having a unique jsp file is necessary to distinguish OAuth configurations.
The default JSP file is located in the directory /opt/CA/secure-proxy/Tomcat/webapps/affwebservices/redirectjsp.
tenant_tag is a unique identifier for a tenant. You specify the tag when deploying a tenant environment in the CSP console. To view a list of tags, select the Tenants tab.
Select Other when a SAML or WS-Federation-compliant partner is the IdP. The federation profiles SAML 1.1, SAML 2.0, and WS-Federation 1.2 are all supported.
Enter the relevant URL for the protocol, as shown.
For SAML 1.1 transactions http://cloud_host.domain:port/affwebservices/public/intersitetransfer?CONSUMERID=consumer_entity_ID&TARGET=http://consumer_site/target_url
For SAML 2.0 SP-initiated transactions
http://cloud_host.domain:port/affwebservices/public/saml2authnrequest?ProviderID=local_entity_ID&RelayState=http://sp_site/target_url
For SAML 2.0 IdP-initiated transactions
http://cloud_host.domain:port/affwebservices/public/saml2authnrequest?SPID=remote_entity_ID&RelayState=http://sp_site/target_url
For WS-Federation IP-initiated transaction
http://cloud_host.domain:port/affwebservices/public/wsfeddispatcher?wa=wsignin1.0&wtrealm=resource_partner_ID&wctx=target_url
Represents one of the authentication protocols that the CA CloudMinder Advanced Authentication Service provides.
Select one of the following options and the URL is entered automatically:
For ArcotID PKI Only
For environments created in CA CloudMinder 1.51 or later:
https://cloud_host:port/chs/redirectservlet/tenant_tag/arcotid
For environments created before CA CloudMinder 1.51:
https://cloud_host:port/affwebservices/<tenant-name>/arcotid.jsp
For ArcotID PKI with Risk
For environments created in CA CloudMinder 1.51 or later:
https://cloud_host:port/chs/redirectservlet/tenant_tag/arcotidrisk
For environments created before CA CloudMinder 1.51:
https://cloud_host:port/affwebservices/<tenant-name>/arcotidrisk.jsp
For ArcotID OTP Only
For environments created in CA CloudMinder 1.51 or later:
https://cloud_host:port/chs/redirectservlet/tenant_tag/arcototp
For environments created before CA CloudMinder 1.51:
https://cloud_host:port/affwebservices/<tenant-name>/arcototp.jsp
For ArcotID OTP with Risk
For environments created in CA CloudMinder 1.51 or later:
https://cloud_host:port/chs/redirectservlet/tenant_tag/arcototprisk
For environments created before CA CloudMinder 1.51:
https://cloud_host:port/affwebservices/<tenant-name>/arcototprisk.jsp
tenant_tag is a unique identifier for a tenant. You specify the tag when deploying a tenant environment in the CSP console. To view a list of tags, select the Tenants tab.
The authentication method is available to protect an application.
|
Copyright © 2014 CA.
All rights reserved.
|
|