SSO Using Advanced Authentication and Provisioning for a Sensitive Application

Single Sign-On Service › SSO Getting Started Guide › SSO Using Advanced Authentication and Provisioning for a Sensitive Application

SSO Using Advanced Authentication and Provisioning for a Sensitive Application

As an administrator, you want internal CA CloudMinder Identity Management users, such as employees or partners, to have easy but secure access to software resources outside of your network environment.

For example, Salesforce.com is a software resource outside of your network environment. You want all new sales employees in your company to have access to Salesforce. You want that access to be protected by security more advanced than the security provided by Salesforce. You want to set up Salesforce accounts for employees automatically, rather than creating them one-by-one. You also want your employees to be able to access Salesforce through single sign-on for enhanced convenience and security.

This scenario describes how to use CA CloudMinder to perform all of these activities:

configure a software resource for SSO access
configure and implement advanced authentication
configure automatic account creation (provisioning)

This scenario assumes that you have purchased the Single Sign-on Service, the Advanced Authentication Service, and the Provisioning Service for your CA CloudMinder environment.

Note: The terminology used for the target software resource is different depending on the component you are configuring. Note the following:

In the Partnership section, the software resource is named a resource.
In the Provisioning section, the software resource is named an endpoint.
In the Authentication Scheme, Authentication Method, Application, and Service Wizard sections, the software resource is named an application.

The following figure shows the steps required to configure this scenario. In a typical environment, hosting administrators and tenant administrators have access to different system components and features. In this scenario, a hosting administrator performs some steps while a tenant administrator performs other steps.

This graphic depicts the steps required to configure an application for SSO, advanced authorization, and provisioning.

Perform the following procedures to configure an application for SSO, advanced authentication, and account creation. (The responsible administrator is indicated in parenthesis.)

Configure an IdP to SP partnership (hosting administrator)
Create federated partnerships to enable secure communication between your CA CloudMinder system and the target software resource.
Configure and apply an authentication scheme (hosting administrator)
Configure and apply an authentication scheme to make a given type of login security available in your system. The authentication method and authentication scheme work together to protect access to the specified application.
Create authentication methods (tenant administrator)
Create authentication methods to make a given type of login security available to apply to an application. The authentication method and authentication scheme work together to protect access to the specified application.
Create roles to assign accounts (tenant administrator)
Create one or more account templates and provisioning roles to automatically create user accounts in the target software resource.
Create an application (tenant administrator)
Create an application to define how and where users access the target software resource.
Create a service (tenant administrator)
Create a service to give the user access to the application. The application is now configured with single sign-on, advanced authentication and automatic account creation.
Make the software resource available to users (tenant administrator)
Make the resource available through the User Console, or through a URL link.