CA Arcot A-OK Integration

Implementation Guide › Product Integrations › CA Arcot A-OK Integration

CA Arcot A-OK Integration

You use the CA Arcot A–OK Adapter^™ (A–OK Adapter) to integrate CA SiteMinder® with the hosted CA Arcot A–OK service.

Note: The integration requires a minimum version of the A–OK Adapter. For more information about the supported version, see the CA SiteMinder® Platform Support Matrix.

The purpose of the following diagram is to:

Illustrate how the A–OK Adapter and its components integrate in a CA SiteMinder® environment.
Detail the major components and their general relationships. This is not a workflow diagram.

Note: For more information about installing and configuring the A–OK Adapter, see the CA Arcot A–OK Adapter for CA CA SiteMinder® Installation and Configuration Guide.

Graphic showing the CA SiteMinder and CA Arcot A-OK integration architecture

Authentication in a Hosted CA Arcot Integration

CA Arcot A–OK assumes authentication services in an integrated environment by guiding users through the authentication and risk evaluation processes. CA Arcot A–OK uses a series of SAML requests and responses to step through the authentication workflow.

Note: For more information about the authentication workflow, see the CA Arcot A–OK Adapter for CA CA SiteMinder® Installation and Configuration Guide.

The result of the risk evaluation is a risk score and corresponding advice, which is a recommend action, such as allow or deny the authentication.

CA Arcot A–OK forwards the advice to the Policy Server, which if necessary, continues with authorization services.

Note: For more information about managing user credentials and configuring the rules associated with the risk evaluation process, see the CA Arcot A–OK User Administration Guide.

Confidence Levels and CA SiteMinder® Authorization

The Policy Server maintains authorization services in an integrated environment and can apply the risk score to authorization decisions. The risk score is created during the authentication process.

The Policy Server applies the risk score as a CA SiteMinder® confidence level. A confidence level is based on a risk score, and as such, is also an integer that represents the likelihood that the transaction is safe.

You can apply a confidence level to both access management models:

If you are protecting resources with policies, you can apply a confidence level to the following objects:
- a policy realm
- an active policy expression
If you are protecting resources with EPM applications, you can apply a confidence level to the following objects:
- an application component
- an application role that is comprised of a named expression that references the SM_USER_CONFIDENCE_LEVEL CA SiteMinder® generated attribute.

Note: Applying a confidence level to a policy realm or an application component requires that you enable confidence level support. Using an active policy expression or an application role to apply a confidence level remains supported from previous releases and is enabled by default. For more information about applying a confidence level to policies and applications, see the Policy Server Configuration Guide.

The following example workflow details the relationship between both values and explains how the Policy Server applies a confidence level to authorization decisions:

After the user is successfully authenticated, the A–OK Adapter converts the risk score to a confidence level using the following algebraic formula:
```
(100-risk score) * 10 = confidence level
```
The A–OK Adapter inserts the confidence level into the CA SiteMinder® session ticket.
Note: For more information about session tickets, see the Policy Server Configuration Guide.
As the user requests protected resources, the Policy Server compares the confidence level in the session ticket to the confidence level configured in the policy or application.
The following actions can occur:
- If the policy rule is configured to allow access and the confidence level of the user is equal to or greater than the confidence level configured in the policy realm or the active policy expression, the policy rule is triggered.
  Note: If the confidence level of the user is less than the confidence level configured in the policy, CA SiteMinder® denies access.
- If the policy rule is configured to reject access and the confidence level of the user is less than the value configured in the policy realm or the active policy expression, the policy rule is triggered.
- If the confidence level of the user is less than the confidence level configured in the application role, the user is excluded from the role membership and CA SiteMinder® denies access.
- If the confidence level of the user is equal to or greater than the confidence level configured in the application component, CA SiteMinder® grants access.

Risk Scores and Confidence Levels Compared

Although a risk score and a confidence level both help ensure that the transaction is safe, there are differences between both values. Consider the following differences when planning for authorization decisions:

CA Arcot Risk Score	CA SiteMinder® Confidence Level
A numeric scale (0–100) represents a risk score.	A numeric scale (0–1000) represents a confidence level.
The lower the risk score, the greater the chance that the transaction is safe.	The higher the confidence level, the greater the chance that the transaction is safe. Note: A value of zero (0) represents no confidence. No confidence results in CA SiteMinder® denying access to the requested resource.

CA Arcot Risk Score

CA SiteMinder® Confidence Level

A numeric scale (0–100) represents a risk score.

A numeric scale (0–1000) represents a confidence level.

The lower the risk score, the greater the chance that the transaction is safe.

The higher the confidence level, the greater the chance that the transaction is safe.

Note: A value of zero (0) represents no confidence. No confidence results in CA SiteMinder® denying access to the requested resource.

The following example workflow details the inverse relationship between a risk score and a confidence level:

A user requests a CA SiteMinder® protected resource and is forwarded to CA Arcot A–OK for authentication.
The A–OK Adapter guides the user through authentication and risk analysis. Based on the CA Arcot A–OK evaluation and scoring rules, the user is authenticated with a risk score of 30. The lower risk score is representative of a safe transaction.
Note: For more information about managing user credentials and configuring the rules that are associated with the risk evaluation process, see the CA Arcot A–OK User Administration Guide.
The A–OK Adapter:
1. Forwards the authentication decision to the Policy Server.
2. Converts the risk score to a confidence level using the following algebraic formula:
```
(100 - risk score) * 10 = confidence level
```
  In this example, the A–OK Adapter converts the risk score to a confidence level using the following algebraic formula:
```
(100 - 30) * 10 = 700
```
  The higher confidence level is representative of a safe transaction.
The A–OK Adapter inserts the confidence level into the session ticket of the user.
The user requests a resource protected by a policy or an application that requires a confidence level of at least 700.
The Policy Server grants access to the resource.

Enable Confidence Level Support

You can optionally apply a confidence level to authorization decisions. Consider the following items:

You can apply a confidence level to the following objects:
- A policy realm
- An active policy expression
- An application component
- An application role that includes a named expression, which references the SM_USER_CONFIDENCE_LEVEL CA SiteMinder® generated attribute.
Note: For more information about applying a confidence level to policies and applications, see the Policy Server Configuration Guide.
You only need enable confidence level support to apply a confidence level to a realm or an application component. Using an active policy expression or an application role to apply a confidence level remains supported from previous releases and is enabled by default.

Follow these steps:

Log in to any Policy Server host system in the CA SiteMinder® environment.
Start the XPSConfig utility.
XPSConfig prompts for an option.
Enter SM and press Enter.
XPSConfig prompts for an option.
Enter 15 and press Enter.
The ConfidenceLevelSupportEnabled parameter appears.
Enter C and press Enter.
The pending value of the parameter appears as True.
Quit the XPSConfig utility.
Restart the Policy Server.
Confidence level support is enabled.

CA Arcot A-OK Integration Use Cases

The following use cases detail how you can integrate CA SiteMinder® with CA Arcot A–OK strong authentication and risk evaluation. The use cases begin with a simple integration and progress into more complex scenarios.

CA Arcot A–OK Authentication and Risk Analysis

The simplest deployment includes integrating the A–OK Adapter and all related components with CA SiteMinder®.

The A–OK Adapter guides users through the authentication and risk evaluation processes to apply a risk score during the authentication process.

Follow these steps:

Be sure that the CA Arcot A–OK service is available.
Install and deploy the A–OK Adapter and all related components. These components include a set of Forms Credential Collector files. These files let you use the A–OK Adapter HTML forms authentication scheme to gather user credentials.
Note: For more information about installing and configuring the A–OK Adapter and all related components, see the CA Arcot A–OK Adapter for CA CA SiteMinder® Installation and Configuration Guide.
Complete the following steps:
1. Configure a CA SiteMinder® Custom authentication scheme to call the A–OK Adapter library.
2. Determine which Web Agents are included in the CA Arcot A–OK integration. Configure the respective Agent Configuration Objects (ACO) to support the integration.
3. Add the A–OK Adapter JAR files, certificates, and properties files to the Java Virtual Machine (JVM) file (JVMOptions.txt) of the Policy Server.
Note: For more information about the required custom authentication scheme, ACO settings, and edits to the Policy Server JVM file, see the CA Arcot A–OK Adapter for CA CA SiteMinder® Installation and Configuration Guide. For more information about configuring an authentication scheme and ACO parameters, see the Policy Server Configuration Guide.

The following diagram illustrates this deployment scenario:

Graphic showing a deployment of CA Arcot A-OK for authentication and risk analysis

CA SiteMinder® Authorization and Confidence Levels

You can extend the Policy Server authorization services by adding a confidence level to both access management models.

Adding a confidence level lets you apply the CA Arcot A–OK risk analysis results to authorization decisions.

Follow these steps:

Complete the steps in CA Arcot A–OK Authentication and Risk Analysis.
(Optional) If you plan on applying a confidence level to a policy realm or an application component, enable confidence level support. Using an active policy expression or an application role to apply a confidence level remains supported from previous releases and is enabled by default.
Complete one of the following steps:
- If you are using policies to protect resources, add a confidence level to one or more policy realms or active policy expressions.
- If you are using applications to protect resources, add a confidence level to one or more application components or application roles.
  Note: For more information about applying a confidence level to policies and applications, see the Policy Server Configuration Guide.

More information:

Policy Management Models

User Store Considerations

All CA SiteMinder® users to which the integration applies must be made available to the CA Arcot A–OK hosted service.

Contact CA Arcot Support for assistance.

Note: For contact information, see the CA Arcot A–OK Adapter for CA CA SiteMinder® Installation and Configuration Guide.