APS includes an Authentication Scheme. It actually serves two different functions:
For the first option, the SMAPS library needs to be configured as an Authentication Scheme Wedge. For the second, it is a normal authentication scheme.
This section contains the following topics:
An Authentication Scheme Wedge is a piece of code that sits between SiteMinder and a "real" authentication scheme.
To configure the APS Authentication Scheme as a Wedge, configure (and test) your regular authentication scheme first. Once it has been established that your existing authentication scheme is working, edit the properties of the authentication scheme using the SiteMinder Policy Interface.
Copy the library name for the existing authentication scheme into the Parameters field and follow it with a semicolon (separating the library name from the original Authentication Schemes parameters).
Put "smaps" (without quotes, lower case) into the library name field.
The wedge is now installed.
The wedge will intercept all calls to your original authentication scheme and pass them on, returning all codes returned from it back to SiteMinder.
If the Force Case setting is used in the Configuration File, it will cause APS to change the case of the old and new passwords during the password change process to the desired case before performing any processing. This will guarantee that all passwords changed using APS will be stored in the desired case.
However, this does not guarantee that the password entered during the authentication process will be correctly entered. This task was frequently handled in the past by JavaScript code on the login form. JavaScript is not dependable, not universal, not standard, and can be overridden by the user.
The APS Authentication Scheme Wedge can fulfill this function.
For most (but not all) authentication schemes, the APS authentication scheme can determine the proper case setting for the current user, so that overrides for the Force Case setting can be used at a site and work properly. If it does not work with your authentication scheme, contact CA Professional Services.
When used to support OneShotPasswords, the APS authentication scheme should be set up as a normal, custom authentication scheme. The library name is smaps (lower case). It uses no shared secret or parameters.
When used in this way, the Authentication scheme expects the supplied password to be the OneShotPassword set up by the FPS process. It must be used within 5 minutes of when it was assigned (this is not configurable). If it is wrong, if 5 minutes have elapsed, or if it has already been used, the authentication will be rejected.
You will have to set up a special realm so that this authentication scheme will be used. Since there is no form, normal authentication using this method is impossible.
Copyright © 2014 CA.
All rights reserved.
|
|