Implementation Guide › Product Integrations › CA Arcot WebFort and RiskFort

CA Arcot WebFort and RiskFort

You use the CA Arcot Adapter^™ (Adapter) to integrate CA SiteMinder® with an on–premise implementation of the CA Arcot WebFort strong authentication solution and the CA Arcot RiskFort adaptive authentication solution.

Consider the following before you begin:

• The integration requires a minimum version of the Adapter and CA Arcot RiskFort.
• The integration requires a minimum version of CA Arcot WebFort.

Note: For more information about the supported versions, see the 12.52 CA SiteMinder® Platform Support Matrix.

The purpose of the following diagram is to:

• Illustrate how the Adapter and its components, CA Arcot RiskFort, and CA Arcot WebFort integrate in a CA SiteMinder® environment.
• Detail the major components and their general relationships. This is not a workflow diagram.

Note: For more information about installing and configuring all CA Arcot components, see the CA Arcot documentation.

Authentication in an On–Premise Arcot Integration

CA Arcot assumes authentication services in an integrated environment by guiding users through the authentication (CA Arcot WebFort) and risk evaluation (CA Arcot RiskFort) processes. During the authentication process:

• CA Arcot WebFort provides the strong authentication, which helps to ensure that the identities of the users requesting the CA SiteMinder®–protected resources are legitimate.

  Note: For more information about strong authentication, see the CA Arcot WebFort Installation and Deployment Guide. For more information about configuring the supported authentication methods, see the CA Arcot WebFort Administration Guide.

• CA Arcot RiskFort collects a range of data to complete a risk evaluation, which determines the level of risk associated with each transaction.

  Note: For more information about risk evaluation and risk scores, see the CA Arcot RiskFort Installation and Deployment Guide. For more information about configuring risk scoring, see the CA Arcot RiskFort Administration Guide.

The result of the risk evaluation is a risk score and corresponding advice, which is a recommend action, such as allow or deny the authentication.

CA Arcot forwards the advice to the Policy Server, which if necessary, continues with its authorization services.

Note: For more information about the Adapter workflow and the role of each CA Arcot component during authentication, see the CA Arcot Adapter for CA CA SiteMinder® Installation and Configuration Guide.

Confidence Levels and CA SiteMinder® Authorization

The Policy Server maintains authorization services in an integrated environment and can apply the risk score to authorization decisions. The risk score is created during the authentication process.

The Policy Server applies the risk score as a CA SiteMinder® confidence level (confidence level). A confidence level is based on a risk score, and as such, is also an integer that represents the likelihood that the transaction is safe.

You can apply a confidence level to both access management models:

• If you are protecting resources with policies, you can apply a confidence level to the following objects:
  • a policy realm
  • an active policy expression
• If you are protecting resources with EPM applications, you can apply a confidence level to the following objects:
  • an application component
  • an application role that is comprised of a named expression that references the SM_USER_CONFIDENCE_LEVEL CA SiteMinder® generated attribute.

Note: Applying a confidence level to a policy realm or an application component requires that you enable confidence level support. Using an active policy expression or an application role to apply a confidence level remains supported from previous releases and is enabled by default. For more information about applying a confidence level to policies and applications, see the Policy Server Configuration Guide.

The following example workflow details the relationship between both values and explains how the Policy Server applies a confidence level to authorization decisions:

1. After the user is successfully authenticated, the Adapter converts the risk score to a confidence level using the following algebraic formula:

   (100-risk score) * 10 = confidence level
   

2. The Adapter inserts the confidence level into the CA SiteMinder® session ticket.

   Note: For more information about session tickets, see the Policy Server Configuration Guide.

3. As the user requests protected resources, the Policy Server compares the confidence level in the session ticket to the confidence level configured in the policy or application.
4. The following actions can occur:
   • If the policy rule is configured to allow access and the confidence level of the user is equal to or greater than the confidence level configured in the policy realm or the active policy expression, the policy rule is triggered.

     Note: If the confidence level of the user is less than the confidence level configured in the policy, CA SiteMinder® denies access.

   • If the policy rule is configured to reject access and the confidence level of the user is less than the value configured in the policy realm or the active policy expression, the policy rule is triggered.
   • If the confidence level of the user is less than the confidence level configured in the application role, the user is excluded from the role membership and CA SiteMinder® denies access.
   • If the confidence level of the user is equal to or greater than the confidence level configured in the application component, CA SiteMinder® grants access.

Risk Scores and Confidence Levels Compared

Although a risk score and a confidence level both help ensure that the transaction is safe, there are differences between both values. Consider the following differences when planning for authorization decisions:

The following example workflow details the inverse relationship between a risk score and a confidence level:

1. A user requests a CA SiteMinder® protected resource and is forwarded to CA Arcot for authentication.
2. The Adapter guides the user through authentication and risk analysis. Based on the CA Arcot evaluation and scoring rules, the user is authenticated with a risk score of 30. The lower risk score is representative of a safe transaction.

   Note: For more information about risk evaluation and scoring rules, see the CA Arcot RiskFort Administration Guide.

3. The Adapter:
   1. Forwards the authentication decision to the Policy Server
   2. Converts the risk score to a confidence level using the following algebraic formula:

      (100 - risk score) * 10 = confidence level
      

      In this example, the Adapter converts the risk score to a confidence level using the following algebraic formula:

      (100 - 30) * 10 = 700
      

      The higher confidence level is representative of a safe transaction.

4. The Adapter inserts the confidence level into the session ticket of the user.
5. The user requests a resource protected by a policy or an application that requires a confidence level of at least 700.
6. The Policy Server grants access to the resource.

Enable Confidence Level Support for Authorization Decisions

You can optionally apply a confidence level to authorization decisions. Consider the following items:

• You can apply a confidence level to the following objects:
  • A policy realm
  • An active policy expression
  • An application component
  • An application role that includes a named expression, which references the SM_USER_CONFIDENCE_LEVEL CA SiteMinder® generated attribute.

  Note: For more information about applying a confidence level to policies and applications, see the Policy Server Configuration Guide.

• You only need enable confidence level support to apply a confidence level to a realm or an application component. Using an active policy expression or an application role to apply a confidence level remains supported from previous releases and is enabled by default.

Follow these steps:

1. Log in to any Policy Server host system in the CA SiteMinder® environment.
2. Start the XPSConfig utility.

   XPSConfig prompts for an option.

3. Enter SM and press Enter.

   XPSConfig prompts for an option.

4. Enter 11 and press Enter.

   The ConfidenceLevelSupportEnabled parameter appears.

5. Enter C and press Enter.

   The pending value of the parameter appears as True.

6. Quit the XPSConfig utility.
7. Restart the Policy Server.

   Confidence level support is enabled.

CA Arcot Integration Use Cases

The following use cases detail how you can integrate CA SiteMinder® with CA Arcot strong authentication and risk evaluation. The use cases begin with a simple integration and progress into more complex scenarios.

CA Arcot Authentication and Risk Analysis

The simplest deployment includes integrating the Adapter and all related components with CA SiteMinder®.

The Adapter guides users through the authentication (CA Arcot WebFort) and risk evaluation (CA Arcot RiskFort) processes to apply a risk score during authentication.

Follow these steps:

1. Be sure that CA Arcot RiskFort and CA Arcot WebFort are installed and configured.

   Note: For more information, see the respective CA Arcot installation and deployment guide.

2. Install and deploy the CA Arcot Adapter and all related components. These components include a set of Forms Credential Collector files. These files let you use the Adapter HTML forms authentication scheme to gather user credentials.

   Note: For more information about installing and configuring the Adapter and all related components, see the CA Arcot Adapter for CA CA SiteMinder® Installation and Configuration Guide.

3. Do the following steps:
   1. Configure a CA SiteMinder® Custom authentication scheme to call the Adapter library.
   2. Determine which Web Agents are included in the CA Arcot integration. Configure the respective Agent Configuration Objects (ACO) to support the integration.

   Note: For more information about the required custom authentication scheme and ACO settings, see the CA Arcot Adapter for CA CA SiteMinder® Installation and Configuration Guide. For more information about configuring an authentication scheme and ACO parameters, see the Policy Server Configuration Guide.

The following diagram illustrates this deployment scenario:

More information:

Locate the Bookshelf

CA SiteMinder® Authentication and CA Arcot Risk Analysis

You can configure the Adapter for risk evaluation only by integrating a CA SiteMinder® authentication scheme. A CA SiteMinder® authentication scheme that is part of the integration is known as backing authentication.

If you use a CA SiteMinder® authentication scheme as backing authentication, the Shim acts as an interface between CA SiteMinder® and the CA SiteMinder® authentication scheme.

Note: For more information about backing authentication, see the CA Arcot Adapter for CA CA SiteMinder® Installation and Configuration Guide. Not all CA SiteMinder® authentication schemes are supported for backing authentication. For more information, see the 12.52 CA SiteMinder® Platform Support Matrix.

Follow these steps:

1. Complete the steps listed in CA Arcot Authentication and Risk Analysis.

   Important! The integration requires that a CA SiteMinder® Custom authentication scheme is configured. The CA SiteMinder® Custom authentication scheme calls the required Adapter library. This library is required even if you are deploying backing authentication.

2. Be sure that you configure the CA SiteMinder® Custom authentication scheme with a valid CA Arcot parameter. This parameter must represent a user flow that supports the CA SiteMinder® authentication scheme that is functioning as backing authentication. You enter this value in in the Parameter field.

   Note: For more information about user flows and the corresponding parameter values, see the CA Arcot Adapter for CA CA SiteMinder® Installation and Configuration Guide. For more information about configuring a CA SiteMinder® Custom authentication scheme, see the Policy Server Configuration Guide.

3. Configure the Shim to use the CA SiteMinder® authentication scheme as a backing authentication.

   Note: For more information about configuring a backing authentication scheme, see the CA Arcot Adapter for CA CA SiteMinder® Installation and Configuration Guide.

The following diagram illustrates this deployment scenario:

More information:

Locate the Bookshelf

CA SiteMinder® Authorization and Confidence Levels

You can extend the Policy Server authorization services by adding a confidence level to both access management models.

Adding a confidence level lets you apply the CA Arcot risk analysis results to authorization decisions.

Follow these steps:

1. Complete the steps in CA Arcot Authentication and Risk Analysis or CA SiteMinder® Authentication and CA Arcot Risk Analysis.
2. (Optional) If you plan on applying a confidence level to a policy realm or an application component, enable confidence level support. Using an active policy expression or an application role to apply a confidence level remains supported from previous releases and is enabled by default.
3. Do one of the following steps:
   • If you are using policies to protect resources, add a confidence level to one or more policy realms or active policy expressions.
   • If you are using applications to protect resources, add a confidence level to one or more application components or application roles.

     Note: For more information about applying a confidence level to policies and applications, see the Policy Server Configuration Guide.

More information:

Locate the Bookshelf

Policy Management Models

User Store Considerations

All CA SiteMinder® users to which the integration applies must be made available to the CA Arcot WebFort database.

Contact CA Arcot Support for assistance.

Note: For contact information, see the CA Arcot Adapter for CA CA SiteMinder® Installation and Configuration Guide.