Single Sign-On Service › SSO Getting Started Guide › SSO Using Advanced Authentication and Provisioning for a Sensitive Application › Configure and Apply an Authentication Scheme

Configure and Apply an Authentication Scheme

The authentication schemes that correspond to the advanced authentication flows are preconfigured in the CSP console. These authentication schemes are:

• For ArcotID OTP Only: ARCOTOTP_MOBILE_ONLY_AUTH_SCHEME
• For ArcotID OTP with Risk: RISK_AND_ARCOTOTPMOB_ AUTH_SCHEME
• For ArcotID PKI Only: ARCOTID_ONLY_AUTH_SCHEME
• For ArcotID PKI with Risk: RISK_AND_ARCOTID_ AUTH_SCHEME

You establish a one-to-one correspondence between an authentication method that is configured in the User Console and an authentication scheme in the CSP console. The authentication method and authentication scheme work together to protect access to the specified application.

The authentication scheme protects the authentication URL that is specified for a given authentication method. To apply the authentication scheme, assign the authentication scheme to a realm and then include the realm in a policy.

Follow these steps:

1. Configure a realm and a rule for the resource.
2. Add rules to the tenant policy.

Configure a Realm and a Rule for the Resource

A realm groups resources that have similar security requirements and share a common authentication scheme. In the tenant domain, create a realm for each authentication scheme that the tenant administrator wants to use.

Note: The following procedure assumes that you are creating an object. You can also copy the properties of an existing object to create an object.

Follow these steps:

1. Log in to the CSP console.
2. Select Policies, Domain, Realms.

   The Realms screen opens.

3. Click Create Realm.
4. Select the tenant domain that you want to modify, and then click Next.

   Note: The tenant domain name is in the tenant-tagDomain format.

5. Type a name and description for the realm.

   Specify a name that indicates that the realm is for an authentication URL.

6. Click Lookup Agent/Agent Group.
7. Select cam-agent from the list of agents, and then click OK.
8. Specify the resource filter for the authentication scheme. This scheme must tie in to the authentication method chosen in the User Console.

   ArcotID OTP

   For environments created in CA CloudMinder 1.51 or later:

   /chs/redirect/tenant_tag/arcototp

   For environments created before CA CloudMinder 1.51:

   /affwebservices/<tenant-name>/arcototp.jsp

   ArcotID OTP with Risk

   For environments created in CA CloudMinder 1.51 or later:

   /chs/redirect/tenant_tag/arcototprisk

   For environments created before CA CloudMinder 1.51:

   /affwebservices/<tenant-name>/arcototprisk.jsp

   ArcotID PKI

   For environments created in CA CloudMinder 1.51 or later:

   /chs/redirect/tenant_tag/arcotid

   For environments created before CA CloudMinder 1.51:

   /affwebservices/<tenant-name>/arcotid.jsp

   ArcotID PKI with Risk

   For environments created in CA CloudMinder 1.51 or later:

   /chs/redirect/tenant_tag/arcotidrisk

   For environments created before CA CloudMinder 1.51:

   /affwebservices/<tenant-name>/arcotidrisk.jsp

   tenant_tag is a unique identifier for a tenant. You specify the tag when deploying a tenant environment in the CSP console. To view a list of tags, select the Tenants tab.

9. Complete the remaining fields:

   Default Resource Protection

   Protected

   Authentication Scheme

   Select the authentication scheme that corresponds to the resource filter.

10. Create a rule as follows:
    1. Click Create in the Rules area.

       The Create Rule screen opens.

    2. Enter a name and description for the rule.
    3. Enter the asterisk (*) in the Resource field.
    4. Select Get and Post from the Action list.
    5. Accept the defaults for the remaining settings, and then click OK.

       The rule is created.

11. Specify the session properties.

    Note: Click Help for information about these properties.

12. Skip the other configuration options.
13. Click Finish.

    The realm is configured.

Add Rules to the Policy

Rules indicate which resources are part of a policy and whether to allow or deny access to the resources when the rule fires.

Note: Add at least one rule or rule group to a policy.

Follow these steps:

1. Select Policies, Domain, Domains.

   The Domains screen opens.

2. Click the pencil icon for the tenant domain.
3. Click the Policies tab.
4. Click the pencil icon for the tenant_tag_chsauthmethods_policy_es policy.
5. Click the Rules tab.
6. Perform the following steps for each rule that you want to add:
   1. Click Add Rule.

      The Available Rules pane opens.

   2. Select the rule that you created for the authentication URL resource, and then click OK.

      The rule is added to the tenant policy.