CA Adapter UNIX Installation Guide › Introduction to Adapter › Adapter Architecture › Authentication Flow Manager

Authentication Flow Manager

Authentication Flow Manager (AFM) functions as an interface between users and other components of Adapter. For SAML-based portals, AFM can be deployed as an Identity Provider (IdP) providing SSO-based federated identity services using SAML 2.0. It also performs the function of a state machine that guides the end user through authentication workflows.

AFM provides you the flexibility to create common ready-to-use authentication configurations, known as AFM profiles. For more information about AFM profiles, see Understanding the AFM Profile.

You can use AFM to configure the following out-of-the-box workflows:

Important! All workflows are capable of enrolling users who do not possess an AuthMinder credential.

• Risk Evaluation and ArcotID PKI Authentication: This authentication workflow is a combination of the risk evaluation and ArcotID PKI authentication workflows. This workflow can also be configured to use QnA, OTP by SMS, OTP by email, or ArcotID OTP on mobile phones for secondary authentication on SAML, SiteMinder, and SSL VPN integrations.
• ArcotID PKI Authentication: This workflow includes ArcotID PKI authentication using CA AuthMinder. This workflow can be configured to present QnA, OTP by SMS, OTP by email, or ArcotID OTP on mobile phones for secondary authentication on SAML, SiteMinder, and SSL VPN integrations. However, the IPsec VPN integration uses only QnA for secondary authentication.
• LDAP and ArcotID PKI Authentication: This workflow combines the LDAP or basic SiteMinder authentication scheme and ArcotID PKI authentication. In this workflow, the LDAP or basic authentication is performed before ArcotID PKI authentication. This workflow can be configured to present QnA, OTP by E-Mail, OTP by SMS, or ArcotID OTP on mobile phones for secondary authentication on a SiteMinder integration.
• Risk Evaluation and LDAP Authentication: This authentication workflow is a combination of the risk evaluation workflow and LDAP or basic SiteMinder authentication scheme. In this workflow, the risk evaluation is performed before the LDAP or basic authentication. This workflow can be configured to present QnA, OTP by SMS, OTP by email, or ArcotID OTP on mobile phones for secondary authentication on SAML, SiteMinder, and SSL VPN integrations.
• LDAP Authentication and Risk Evaluation: This authentication workflow combines the LDAP or basic SiteMinder authentication scheme and the risk evaluation workflow. In this workflow, the LDAP or basic authentication is performed before the risk evaluation. This workflow can be configured to present QnA, OTP by SMS, OTP by email, or ArcotID OTP on mobile phones for secondary authentication on SAML, SiteMinder, and SSL VPN integrations.
• OATH-Based Authentication: This workflow includes authentication using OATH-based hardware token credentials. You can configure this as a primary authentication mechanism for any supported application on SAML, SiteMinder, and SSL VPN integrations.
• ArcotID OTP-Based Authentication for Mobiles and Other Devices: This workflow includes authentication using ArcotID OTP. The OTP that is used for authentication is generated on your device, which can be a mobile device or the computer where the ArcotID OTP application is installed.

  You can configure this as a primary authentication mechanism for any supported application. You can also configure this workflow to present QnA, OTP by E-Mail, or OTP by SMS for secondary authentication on SAML, SiteMinder, and SSL VPN integrations.

• Risk Evaluation and ArcotID OTP-Based Authentication for Browsers: This workflow combines risk evaluation and ArcotID OTP authentication for browsers. In this workflow, risk evaluation is performed before the ArcotID OTP authentication. You can also configure this workflow to present QnA, OTP by E-Mail, or OTP by SMS for secondary authentication on SAML, SiteMinder, and SSL VPN integrations.
• ArcotID OTP-Based Authentication for Browsers: This workflow includes authentication using ArcotOTP for browsers. You can configure this as a primary authentication mechanism for any supported application.You can also configure this workflow to present QnA, OTP by E-Mail, or OTP by SMS for secondary authentication on SAML, SiteMinder, and SSL VPN integrations.

Typically, these authentication workflows are rendered as JavaServer Pages (JSPs) that collect user information required for authentication. All authentication workflows support user migration. For example, if a user is not enrolled for ArcotID PKI authentication, then the user is taken through the enrollment workflow to complete the authentication process.

The following JSP file can be used to directly enroll a user for AuthMinder authentication:

• masterEnrollment.jsp: The workflow defined in this JSP enrolls the user for the configured AuthMinder credentials. This is done after authenticating the user with LDAP, OTP, or both, depending on the configuration. If a profile has been configured in the AFM wizard, then to enroll the user for the credentials configured in the profile, a request parameter must be sent to the masterEnrollment.jsp file in the following format:

  arcotafm/masterEnrollment.jsp?profile=profile-name

  Note: This enrollment workflow is available at the following location: application_server_home/webapps/arcotafm/

  The following JSP file can be used to update the user’s details:

• settings.jsp: This JSP is used to enable end users to update their credentials. The workflow defined in this JSP updates the credentials of the user. When you integrate this JSP in your application, ensure that a link to this JSP is displayed to the end user only after successful authentication. Use the following format for the URL that leads to this JSP:

  /arcotafm/settings.jsp?profile=profile-name

  In the case of SiteMinder integration, this URL must be protected with the same authentication mechanism that has been configured for the resource that the user is trying to access.

AFM also maintains the state data of the user workflow, conducts AuthMinder authentication, and reads or writes RiskMinder Device ID information required by RiskMinder. In addition to using the authentication workflows shipped with AFM, you can customize an authentication workflow as per your organization’s requirements.

Important! All users enrolled for authentication through any of the authentication workflows are assigned some Custom Attributes, which are accessible through the AuthMinder Administration Console. While fetching the user details in the Administration Console, you might see any of the following Custom Attributes:

• AOTPXML
• PAM_IMAGE
• OATH_SYNCHRONIZED

  If you find any of the above-mentioned Custom Attribute in the user details, you must not edit or delete the attribute. Doing so would result in unsuccessful user authentication or enrollment workflow.

For information about supported authentication mechanisms for the different integration types, see the table in Configuring Adapter by Using the Wizard.