Advanced Authentication Service › Configuring Advanced Authentication › How to Configure Advanced Authentication

How to Configure Advanced Authentication

The tenant administrator decides on the credential types and the corresponding advanced authentication flows that must be used to protect access to the tenant’s resources. The tenant administrator sends this information as a configuration request to the hosting administrator. As the hosting administrator, you configure Advanced Authentication according to the requirements specified in the configuration request.

The following diagram outlines the steps that are involved in configuring Advanced Authentication:

To configure Advanced Authentication, complete the following steps:

1. Enable Advanced Authentication.
2. Configure credential types.
3. Configure advanced authentication flows.
4. Configure authentication methods.
5. Create an application.
6. Configure CA RiskMinder.
7. Configure and apply an authentication scheme.
8. Post the ArcotID OTP Client and ArcotID PKI Client.

Configure Credential Types

The credential types form the basis of the advanced authentication flows. To configure a credential type, you enable the credential type and then set values for the attributes of the credential type. The values that you set are specified in the configuration request that is sent by the tenant administrator.

Note: For information about managing credentials after they are assigned to end users, see the CA Arcot Administration Console documentation.

Follow these steps:

1. Log in to the User Console.
2. Select Advanced Authentication, Configure Credential Types.

   The Configure Credential Types: Credential Type screen opens.

3. Use the arrow icons to move the required credential types to the Enabled list.
4. Click Next.

   The Configure Credential Types: Configure Enabled Credentials screen opens.

5. For each credential type to be configured, click the pencil icon, enter values to configure the credential type, and then click Submit.

   You can configure any combination of the following credential types:

   • ArcotID OTP: Specify a value for the following fields of the ArcotID OTP credential:

     PIN length

     Specifies the minimum length of the PIN.

     Select end date

     Specifies the expiry date for the credential.

     In addition, specify values for the fields of the activation OTP profile:

     Type

     Indicates whether the activation OTP is numeric or alphanumeric.

     OTP length

     Specifies the length of the activation OTP.

     Validity period

     Specifies the period for which the activation OTP is valid.

     Usage times

     Specifies the number of times for which an activation OTP can be used.

   • ArcotID PKI: Specify values for the following fields of the ArcotID PKI credential:

     ArcotID key length (in Bits)

     Specifies the length (in bits) of the credential.

     Use mobile client

     Indicates that authentication using the ArcotID PKI mobile client is enabled.

     Note: If you select this option, when configuring Advanced Authentication flows, you must configure at least one secondary authentication mechanism each for the expiry and roaming scenarios that use the ArcotID PKI mobile client. For more information, see Configure Advanced Authentication Flows.

     Select end date

     Specifies the expiry date for the credential.

     ArcotID client preference

     Specifies the order of preference for ArcotID PKI clients. During enrollment, the Advanced Authentication server uses the first client in the order of preference to deliver and interact with the credential on the end user’s device. If the attempt to use the first client fails, then the server uses the second client, and so on. During authentication, the client that is available (in the order of preference) on the end user’s device is used to sign the challenge in the challenge-response transaction between the browser and Advanced Authentication server.

   • Risk Evaluation: The following fields for configuring the Risk Evaluation credential type are not self-explanatory:

     Risk cookie type

     Specifies whether the cookie that stores risk-related information on the end user's device must be a Flash-based cookie or an HTTP-based cookie.

     HTTP Cookie Max Age (days)

     Defines the number of days after which the HTTP cookie must automatically expire. This field is displayed only after you select HTTP cookie from the Risk cookie type list.

   • Security Code: The following fields for configuring the Security Code credential type are not self-explanatory:

     Note: Security Code is used during the secondary authentication process.

     Type

     Specifies whether the security code is only numeric or alphanumeric.

     Security Code length

     Specifies the length (in characters) of the credential.

     Validity Period

     Specifies the period for which the security code is valid.

     Lockout credential after

     Specifies the number of failed attempts after which the credential is locked.

     • If you want to configure the Security Code over Email option for this credential type, set values for the following fields:

       Enable

       Indicates that the Security Code over Email credential type must be enabled.

       From

       Defines the sender’s email address to be shown in the email that is sent to end users. If the email sent to the end user does not reach the end user for any reason, email notification is automatically sent to this email address.

       Subject

       Defines the subject line to be shown in the email that is sent to end users.

       Email template

       Defines the message to be shown in the email that is sent to end users. The security code is inserted in this message. The following is a sample message:

           User [[USERNAME]], your Security Code is [[SECURITYCODE]].
       

       In this example, [[USERNAME]] and [[SECURITYCODE]] are variables that are replaced at run time by actual values.

     • If you want to configure the Security Code over SMS credential type, set values for the following fields:

       Enable

       Indicates that the Security Code over SMS credential type must be enabled.

       SMS Template

       Defines the template of the SMS message that is sent to end users. The security code is included in this message. The following is a sample message:

           User [[USERNAME]], your Security Code is [[SECURITYCODE]].
       

       In this example, [[USERNAME]] and [[SECURITYCODE]] are variables that are replaced at run time by actual values.

       SMS Provider Post URL

       Defines the URL from where the SMS service can be accessed.

       Username

       Defines the user name of the SMS account that has been created for the tenant.

       Password

       Defines the password of the SMS account that has been created for the tenant.

       App ID

       Specifies the unique identifier of the SMS API that handles the SMS request sent from CA CloudMinder.

       From

       Defines the string or number that must be displayed in the From field of the SMS message that is sent to end users.

     • If you want to configure the Security Code over Voice credential type, set values for the following fields:

       Enable

       Indicates that the Security Code over Voice credential type must be enabled.

       Client ID

       Specifies the client ID that has been assigned to the tenant.

       Country ID

       Specifies the ISO country ID of the tenant’s organization.

6. Click Submit.

   The Confirmation: Task Completed message appears after you click Submit. In addition, the current date and time are displayed in the Last Configured Date column for each credential type that you configure.

7. Click Finish after you configure all the credential types that you have enabled.
8. Refresh the cache in CA AuthMinder by performing the following steps:
   1. Log in to CA Arcot Administration Console as a Global Administrator.
   2. Select Services and Server Configurations, Administration Console, Refresh Cache in the System Configuration.

      The Refresh Cache screen opens.

   3. Select any one or both of the following options:
      • Refresh System Configuration
      • Refresh Organization Configuration
   4. Click OK.

      A message stating that the request was submitted successfully appears.

9. View the status of the cache refresh request by performing the following steps:
   1. Select Services and Server Configurations, Administration Console, Check Cache Refresh Status.

      The Search Cache Refresh Request screen opens.

   2. Select the request ID of the refresh request, and then click Search.

      The status of the refresh request is displayed. The SUCCESS message in the Status column indicates that the configuration changes made in the credential types are now effective.

Configure Advanced Authentication Flows

The advanced authentication flows that you can enable and configure are based on the credential types that you have enabled. You configure the advanced authentication flows that are requested by the tenant administrator.

Follow these steps:

1. Log in to the User Console.
2. Select Advanced Authentication, Configure Advanced Authentication Flow.

   The Select Flow Types screen opens.

3. Use the arrow icons to move advanced authentication flow types to the Enabled list.
4. Click Next.

   The Enabled Flow Types screen opens.

5. Perform the following steps for each advanced authentication flow type that you have enabled:
   1. Click the pencil icon next to the advanced authentication flow type.

      The Flow Configuration screen displays a list of the different scenarios in which the end user is prompted for secondary authentication.

   2. Select the secondary authentication methods that must be enabled for each scenario.

      Note: An end user forgetting the password is an example of a use case in which the end user is prompted for secondary authentication. For information about all such use cases, see the Getting Started Guide for Advanced Authentication.

      Depending on the advanced authentication flow type that you are configuring, you can select any one or a combination of the following secondary authentication methods:

      • Security Question
      • Security Code over Email
      • Security Code over SMS
      • Security Code over Voice

      Note: Consider the following when selecting these mechanisms:

      • If you are configuring the ArcotID OTP with Risk flow or the ArcotID PKI with Risk flow, select at least two secondary authentication methods.
      • If you selected the Use mobile client option when configuring the ArcotID PKI credential type (as described in Configure Credential Types), then you must select at least one secondary authentication mechanism each for the Expiry from Mobile PKI Client and Roaming from Mobile PKI Client scenarios. If no authentication mechanism is selected, the end user cannot log in at run time.
   3. Select the Two Steps option to enforce two-step secondary authentication for a particular scenario.

      As secondary authentication is invoked when performing sensitive tasks, such as resetting passwords or authenticating roaming users, it is recommended that a combination of authentication mechanisms be chained together. Chaining of secondary authentication mechanisms provides a higher level of security.

      Note: Consider the following when selecting this option:

      • The Two Steps option is enabled only if you select 2 or more authentication mechanisms.
      • You can chain Security Question and any of the Security Code types, but you cannot chain two types of Security Code together.
      • Two-step authentication is not applicable for scenarios that use the ArcotID PKI mobile client, and therefore, this option is disabled. If multiple authentication mechanisms are selected for the mobile scenarios, all the mechanisms are invoked one by one. The end user is not presented a choice.
   4. Click Submit.

      The current date and time is displayed in the Last Configured Date column.

6. Click Finish after you configure the required advanced authentication flows.

   The configured advanced authentication flows are now available for use in authentication schemes that can be configured for the tenant’s resources.

Configure Authentication Methods

An authentication method represents how an application is protected. After you configure an authentication method, you assign it to the application you want to protect. Multiple applications can use the same authentication method. A single application can reference multiple authentication methods.

Configure an authentication method that satisfies the protection requirements for an application.

Note: The system creates authentication methods corresponding to each of the advanced authentication flows. If you are configuring Advanced Authentication for the tenant, do not create an authentication method. Modify the existing authentication method as described in this procedure.

Follow these steps:

1. Log in to the User Console.
2. Navigate to Applications, Authentication Methods, Create an Authentication method.
3. In the top section of the Create Authentication method screen, complete the following fields:

   Name

   Enter a string that identifies the authentication method you are configuring.

   Description

   Enter a description for the authentication method. The login page displays this description as a label.

   Enabled

   Select this check box to make the authentication method immediately available.

4. In the Configure Authentication Method section, select one of the following options and enter the authentication URL for that option.

   When the authentication method is associated with an application, the authentication service appends the redirect URL for the application.

   Note the following variables in the URLs:

   cloud_host is the CA CloudMinder system.

   local_entity_ID is the name of the local entity that is specified in the IdP-to-SP partnership, which is configured at the CSP console.

   remote_entity_ID, consumer_entity_ID or resource_partner_ID is the name of the remote entity that is specified in the configuration of the asserting-to-relying party partnership. The partnership is configured at the CSP console.

   Basic

   Represents a form-based authentication scheme that uses the basic credentials of a user name and a password. The basic authentication method corresponds to the HTML Forms authentication scheme in the CSP console.

   Enter the authentication URL of the following format:

   http://cloud_host:port/chs/redirectservlet/tenant_tag/forms

   tenant_tag is a unique identifier for a tenant. You specify the tag when deploying a tenant environment in the CSP console. To view a list of tags, select the Tenants tab.

   External IDP—Google or Facebook

   Represents a third-party identity provider (IdP) that authenticates users. Social media sites, such as Google or Facebook can serve as external IdPs. Other federated partners that support the SAML and WS-Federation protocols can also serve as external IdPs.

   If Google or Facebook is acting as the third-party IdP, specify the OpenID or OAuth authentication method. Each site supports both protocols.

   Enter the relevant URL for the protocol, as shown:

   OpenID

   http://cloud_host:port/affwebservices/tenant_tag/duplicate_openid_file.jsp

   When configuring the OpenID authentication scheme at the CSP console, the default openid.jsp file is copied and given a unique name, such as openid-google.jsp. Having a unique jsp file is necessary to distinguish OpenID configurations.

   The default JSP file is located in the directory /opt/CA/secure-proxy/Tomcat/webapps/affwebservices/redirectjsp.

   OAuth

   http://cloud_host:port/affwebservices/tenant_tag/duplicate_oauth_file.jsp

   When configuring the OAuth authentication scheme in the CSP console, the default oauth.jsp file is copied and given a unique name, such as oauth-google.jsp. Having a unique jsp file is necessary to distinguish OAuth configurations.

   The default JSP file is located in the directory /opt/CA/secure-proxy/Tomcat/webapps/affwebservices/redirectjsp.

   tenant_tag is a unique identifier for a tenant. You specify the tag when deploying a tenant environment in the CSP console. To view a list of tags, select the Tenants tab.

   External IDP—Other

   Select Other when a SAML or WS-Federation-compliant partner is the IdP. The federation profiles SAML 1.1, SAML 2.0, and WS-Federation 1.2 are all supported.

   Enter the relevant URL for the protocol, as shown.

   For SAML 1.1 transactions http://cloud_host.domain:port/affwebservices/public/intersitetransfer?CONSUMERID=consumer_entity_ID&TARGET=http://consumer_site/target_url

   For SAML 2.0 SP-initiated transactions

   http://cloud_host.domain:port/affwebservices/public/saml2authnrequest?ProviderID=local_entity_ID&RelayState=http://sp_site/target_url

   For SAML 2.0 IdP-initiated transactions

   http://cloud_host.domain:port/affwebservices/public/saml2authnrequest?SPID=remote_entity_ID&RelayState=http://sp_site/target_url

   For WS-Federation IP-initiated transaction

   http://cloud_host.domain:port/affwebservices/public/wsfeddispatcher?wa=wsignin1.0&wtrealm=resource_partner_ID&wctx=target_url

   Advanced Authentication

   Represents one of the authentication protocols that the CA CloudMinder Advanced Authentication Service provides.

   Select one of the following options and the URL is entered automatically:

   For ArcotID PKI Only

   For environments created in CA CloudMinder 1.51 or later:

   https://cloud_host:port/chs/redirectservlet/tenant_tag/arcotid

   For environments created before CA CloudMinder 1.51:

   https://cloud_host:port/affwebservices/<tenant-name>/arcotid.jsp

   For ArcotID PKI with Risk

   For environments created in CA CloudMinder 1.51 or later:

   https://cloud_host:port/chs/redirectservlet/tenant_tag/arcotidrisk

   For environments created before CA CloudMinder 1.51:

   https://cloud_host:port/affwebservices/<tenant-name>/arcotidrisk.jsp

   For ArcotID OTP Only

   For environments created in CA CloudMinder 1.51 or later:

   https://cloud_host:port/chs/redirectservlet/tenant_tag/arcototp

   For environments created before CA CloudMinder 1.51:

   https://cloud_host:port/affwebservices/<tenant-name>/arcototp.jsp

   For ArcotID OTP with Risk

   For environments created in CA CloudMinder 1.51 or later:

   https://cloud_host:port/chs/redirectservlet/tenant_tag/arcototprisk

   For environments created before CA CloudMinder 1.51:

   https://cloud_host:port/affwebservices/<tenant-name>/arcototprisk.jsp

   tenant_tag is a unique identifier for a tenant. You specify the tag when deploying a tenant environment in the CSP console. To view a list of tags, select the Tenants tab.

5. Click Submit.

The authentication method is available to protect an application.

Create an Application

In the User Console, an application represents the resource that the tenant administrator wants to protect. An application defines the type and level of security that end users encounter when they try to access the resource. You can apply any one or a combination of the authentication methods that you define to protect access to the application.

When a tenant is created in CA CloudMinder, the following applications are automatically created for the tenant:

• An application for the JCS Management Console
• An application for the User Console

You configure both applications according to the tenant’s requirements. In addition, you can create applications to secure other resources of the tenant.

After an application is configured, the application icon is displayed on the home page of the User Console. Users can click the icon to access the application. As an administrator, you can also give end users access to the application by inserting a link to the application in any web page. For example, you can insert an icon on your corporate web portal that links to the application.

Note: This section describes the steps to modify an application. These are very similar to the steps to create an application. There are differences only in the first few steps of the procedure.

Follow these steps:

1. Log in to the User Console.
2. Select Applications, Applications, Modify Application.

   The Modify Application screen opens.

3. Use the search feature to display the list of applications for the tenant.

   The list of applications whose names meet the search criteria is displayed. If this is the first time you are performing this procedure, the search results display only the two preconfigured applications that are mentioned earlier in this section.

4. (Optional) Associate a group with the application.
5. Enter a launch URL for the application.

   A launch URL is the fully qualified domain name of the software resource you want to make available to users. Enter the fully qualified domain name of the software resource in the following format:

   https://resource-domain-name

   Example: https://forward-inc.com

   Note: Forward, Inc. is a fictitious company name that is used strictly for instructional purposes only and is not meant to reference an existing company.

   If you are creating an application for the User Console, enter a launch URL in the following format:

   https://SPS-hostname/iam/im/tenant-name/
   

   Example: https://forward-inc.com/iam/im/forward01/

6. Select a logo.

   This is the icon for the application that appears in the User Console home page. Users can click the icon to access the software resource.

   Note: You can also give users access to the application by inserting a link to the application on a web page.

7. Enter a welcome message.

   When users click any link you provide to the application, a login screen opens. The welcome message appears at the top of the login screen.

8. Select a self-registration task.

   With a self-registration task specified, end users who do not have an account can register themselves with the application. You can select one of the following self-registration tasks:

   Create New Account

   Presents a simple registration form. When this form is submitted, a user account is created.

   Create New Account with Workflow

   Presents a simple registration form. When this form is submitted, the request for creating a user account is forwarded to one or more approvers. The account is created on approval of the request.

   Create New Account with Domain Validation

   Presents a simple registration form. When this form is submitted, the user's email domain is compared with the tenant email domain. If the domains match, a confirmation email is sent to the user. The account is created upon user confirmation.

   Note: The tenant email domain is specified in the User Console, under Tenant Administration, Tenant Settings.

   Self-Registration with Attribute Exchange

   Do not select this self-registration task in the context of application access. This task is intended for a different purpose.

9. Click Add in the Authentication Methods area.

   The Select Authentication Methods screen displays a list of the authentication methods available in the tenant environment.

10. Select one or more authentication methods.
11. Click Select.

    The Create Application screen appears, updated with the list of authentication methods that you select.

12. (Optional) Select a default authentication method from the drop-down list.

    The application is created.

Configure CA RiskMinder

CA RiskMinder is one of the components of Advanced Authentication. When a tenant is created, an organization representing the tenant is automatically created in CA RiskMinder. The Risk Evaluation credential type is based on the predefined risk evaluation rules in CA RiskMinder. If the tenant administrator wants to use the Risk Evaluation credential, the tenant administrator sends the configuration settings for the risk evaluation rules as part of the configuration request. You can apply these configuration settings for the risk evaluation rules. See Configure risk evaluation rules for detailed information.

Note: For detailed information about the procedure to configure CA RiskMinder, see the CA Arcot RiskMinder Administration Guide.

Assign a Channel to the Organization

CA RiskMinder supports risk evaluation requests coming from multiple channels. By assigning channels to the organization that represents the tenant, you specify the type of risk evaluation requests that must be processed.

When a tenant is created, channels are automatically assigned to the tenant. In addition, a default channel is assigned to the tenant. Perform the procedure that is described in this section only if the tenant administrator requests any changes or additions to these default assignments.

Important! Configuring channels is expected to be a one-time configuration. You can add a channel to your existing deployment, but removing support for a channel and changing the default channel requires careful consideration. If you want to change these settings in a production environment, contact CA Support to understand the implications.

Follow these steps:

1. Log in to the CA RiskMinder Administration Console as the Global Administrator.
2. Select Organizations, Manage Organizations.
3. Use the search feature to search for and open the organization.
4. Click the RiskFort Configuration tab.
5. Click Assign Channels and Configure Default Account Types in the General RiskFort Configurations section.
6. Select the Select Channels to Associate check box for the channels that you want to associate with the organization.
7. Select one of the assigned channels as the default channel.
8. Click Save.

   Channels are assigned to the organization.

Configure Risk Evaluation Rules

Some of the predefined risk evaluation rules have default values. The tenant administrator can specify that these defaults values must be accepted. Alternatively, the tenant administrator can specify the values that they want to set. You set these values to configure the risk evaluation rules.

Follow these steps:

1. Log in to the CA Arcot Administration Console as the Global Administrator.
2. Create the ruleset as follows:
   1. Click Services and Server Configurations, RiskFort, Create Ruleset.

      The Create Ruleset screen opens.

   2. Enter a name for the ruleset in the Name field.
   3. (Optional) If you want to copy the rules configuration from an existing ruleset, select the Copy from an Existing Ruleset check box and then select the name of the ruleset whose configuration you want to copy.
   4. Click Create.

      The ruleset is created.

3. Configure the rules in the ruleset as follows:
   1. Select Services and Server Configurations, RiskFort, Rules and Scoring Management.

      The Rules and Scoring Configuration screen opens.

   2. Select the ruleset from the Select the Rulesets list.

      The Rules and Scoring Management screen opens.

   3. Perform the following steps in the Proposed column for each rule that you want to enable or modify:
      • Ensure that the Enable check box is selected.
      • Set the risk score and the priority.
      • Click the rule name in the Rule Name column.
      • (Optional) Specify values to configure the rule if you do not want to accept the default settings.

        Note: Some of the rules are not configurable.

   4. Set the default risk score for the ruleset in the table that is displayed below the list of rules, and then click Save.
4. Migrate the changes to production by performing the following steps:
   1. Select Services and Server Configurations, Migrate to Production, Migrate to Production.

      The Migrate to Production screen opens.

   2. Select the ruleset from the Select Rulesets list, and then click Migrate.

      The Migrate to Production screen opens.

   3. Click Confirm.

      The request to migrate the updated ruleset to production is sent to RiskMinder Server.

5. Refresh the server cache by performing the following steps:
   1. Select Services and Server Configurations, Administration Console, Refresh Cache.

      The Refresh Cache screen opens.

   2. Select Refresh System Configuration, and then click OK.

      A confirmation message appears.

   3. Click OK.

      A message displaying the request ID for the refresh request appears.

6. Verify that the cache refresh has been carried out by performing the following steps:
   1. Select Services and Server Configurations tab, Administration Console, Check Cache Refresh Status.

      The Search Cache Refresh Request screen opens.

   2. Enter the request ID, and then click Search.

      The View Cache Refresh Request screen opens. Use the information that is displayed on this screen to verify that the cache has been refreshed.

   The risk evaluation rules are configured.

Configure and Apply an Authentication Scheme

Authentication schemes corresponding to the advanced authentication flows are preconfigured in the CSP Console. These authentication schemes are as follows:

• For the ArcotID OTP Only flow: ARCOTOTP_MOBILE_ONLY_AUTH_SCHEME
• For the ArcotID OTP with Risk flow: RISK_AND_ARCOTOTPMOB_ AUTH_SCHEME
• For the ArcotID PKI Only flow: ARCOTID_ONLY_AUTH_SCHEME
• For the ArcotID PKI with Risk flow: RISK_AND_ARCOTID_ AUTH_SCHEME

You establish a one-to-one correspondence between an authentication method configured in the User Console and an authentication scheme in the CSP Console. The authentication method and authentication scheme work together to protect access to the specified application.

The authentication scheme protects the authentication URL that is specified for a given authentication method. To apply the authentication scheme, you assign the authentication scheme to a realm and then include the realm in a policy.

Important! You can also use these steps to apply an authentication scheme for protecting the User Console.

Follow these steps:

1. Configure a realm and a rule for the resource.
2. Add rules to the tenant policy.
3. Configure an authentication scheme for the User Console.

Configure a Realm and a Rule for the Resource

A realm groups resources that have similar security requirements and share a common authentication scheme. In the tenant domain, create a realm for each authentication scheme that the tenant administrator wants to use.

Note: The following procedure assumes that you are creating an object. You can also copy the properties of an existing object to create an object.

Follow these steps:

1. Log in to the CSP console.
2. Select Policies, Domain, Realms.

   The Realms screen opens.

3. Click Create Realm.
4. Select the tenant domain that you want to modify, and then click Next.

   Note: The tenant domain name is in the tenant-tagDomain format.

5. Type a name and description for the realm.

   Specify a name that indicates that the realm is for an authentication URL.

6. Click Lookup Agent/Agent Group.
7. Select cam-agent from the list of agents, and then click OK.
8. Specify the resource filter for the authentication scheme. This scheme must tie in to the authentication method chosen in the User Console.

   ArcotID OTP

   For environments created in CA CloudMinder 1.51 or later:

   /chs/redirect/tenant_tag/arcototp

   For environments created before CA CloudMinder 1.51:

   /affwebservices/<tenant-name>/arcototp.jsp

   ArcotID OTP with Risk

   For environments created in CA CloudMinder 1.51 or later:

   /chs/redirect/tenant_tag/arcototprisk

   For environments created before CA CloudMinder 1.51:

   /affwebservices/<tenant-name>/arcototprisk.jsp

   ArcotID PKI

   For environments created in CA CloudMinder 1.51 or later:

   /chs/redirect/tenant_tag/arcotid

   For environments created before CA CloudMinder 1.51:

   /affwebservices/<tenant-name>/arcotid.jsp

   ArcotID PKI with Risk

   For environments created in CA CloudMinder 1.51 or later:

   /chs/redirect/tenant_tag/arcotidrisk

   For environments created before CA CloudMinder 1.51:

   /affwebservices/<tenant-name>/arcotidrisk.jsp

   tenant_tag is a unique identifier for a tenant. You specify the tag when deploying a tenant environment in the CSP console. To view a list of tags, select the Tenants tab.

9. Complete the remaining fields:

   Default Resource Protection

   Protected

   Authentication Scheme

   Select the authentication scheme that corresponds to the resource filter.

10. Create a rule as follows:
    1. Click Create in the Rules area.

       The Create Rule screen opens.

    2. Enter a name and description for the rule.
    3. Enter the asterisk (*) in the Resource field.
    4. Select Get and Post from the Action list.
    5. Accept the defaults for the remaining settings, and then click OK.

       The rule is created.

11. Specify the session properties.

    Note: Click Help for information about these properties.

12. Skip the other configuration options.
13. Click Finish.

    The realm is configured.

Add Rules to the Policy

Rules indicate which resources are part of a policy and whether to allow or deny access to the resources when the rule fires.

Note: Add at least one rule or rule group to a policy.

Follow these steps:

1. Select Policies, Domain, Domains.

   The Domains screen opens.

2. Click the pencil icon for the tenant domain.
3. Click the Policies tab.
4. Click the pencil icon for the tenant_tag_chsauthmethods_policy_es policy.
5. Click the Rules tab.
6. Perform the following steps for each rule that you want to add:
   1. Click Add Rule.

      The Available Rules pane opens.

   2. Select the rule that you created for the authentication URL resource, and then click OK.

      The rule is added to the tenant policy.

Configure an Authentication Scheme for the User Console

The tenant-tag_ims_realm realm represents the User Console. To secure access to the User Console, one of the steps that you perform is to apply the required authentication scheme to this realm. The remaining steps are performed in the User Console itself.

Note: Perform this procedure only for the User Console. You need not perform this procedure for any other application.

Follow these steps:

1. Log in to the CSP Console.
2. Select Policies, Domain, Realms.

   The Realms screen opens.

3. Use the search feature to search for and open the tenant-tag_ims_realm realm for modification.
4. Select the tenant-tag_idm_chs_auth authentication scheme from the Authentication Scheme list.
5. Do not change the value of any other field on this screen.
6. Click Submit.

   The authentication scheme is applied for securing access to the User Console.

Post the ArcotID OTP Client and ArcotID PKI Client

The native clients for ArcotID OTP and ArcotID PKI are available in the Support section of the CA Technologies website. If the tenant administrator wants to enable their end users to use these clients, inform the tenant administrator about the location from where they can download these clients. The tenant administrator can then post these clients on their website and make the clients available to their end users for download and installation.