You use the CA Arcot Adapter™ (Adapter) to integrate CA SiteMinder® with an on–premise implementation of the CA Arcot WebFort strong authentication solution and the CA Arcot RiskFort adaptive authentication solution.
Consider the following before you begin:
Note: For more information about the supported versions, see the 12.52 CA SiteMinder® Platform Support Matrix.
The purpose of the following diagram is to:
Note: For more information about installing and configuring all CA Arcot components, see the CA Arcot documentation.
CA Arcot assumes authentication services in an integrated environment by guiding users through the authentication (CA Arcot WebFort) and risk evaluation (CA Arcot RiskFort) processes. During the authentication process:
Note: For more information about strong authentication, see the CA Arcot WebFort Installation and Deployment Guide. For more information about configuring the supported authentication methods, see the CA Arcot WebFort Administration Guide.
Note: For more information about risk evaluation and risk scores, see the CA Arcot RiskFort Installation and Deployment Guide. For more information about configuring risk scoring, see the CA Arcot RiskFort Administration Guide.
The result of the risk evaluation is a risk score and corresponding advice, which is a recommend action, such as allow or deny the authentication.
CA Arcot forwards the advice to the Policy Server, which if necessary, continues with its authorization services.
Note: For more information about the Adapter workflow and the role of each CA Arcot component during authentication, see the CA Arcot Adapter for CA CA SiteMinder® Installation and Configuration Guide.
The Policy Server maintains authorization services in an integrated environment and can apply the risk score to authorization decisions. The risk score is created during the authentication process.
The Policy Server applies the risk score as a CA SiteMinder® confidence level (confidence level). A confidence level is based on a risk score, and as such, is also an integer that represents the likelihood that the transaction is safe.
You can apply a confidence level to both access management models:
Note: Applying a confidence level to a policy realm or an application component requires that you enable confidence level support. Using an active policy expression or an application role to apply a confidence level remains supported from previous releases and is enabled by default. For more information about applying a confidence level to policies and applications, see the Policy Server Configuration Guide.
The following example workflow details the relationship between both values and explains how the Policy Server applies a confidence level to authorization decisions:
(100-risk score) * 10 = confidence level
Note: For more information about session tickets, see the Policy Server Configuration Guide.
Note: If the confidence level of the user is less than the confidence level configured in the policy, CA SiteMinder® denies access.
Although a risk score and a confidence level both help ensure that the transaction is safe, there are differences between both values. Consider the following differences when planning for authorization decisions:
CA Arcot Risk Score |
CA SiteMinder® Confidence Level |
---|---|
A numeric scale (0–100) represents a risk score. |
A numeric scale (0–1000) represents a confidence level. |
The lower the risk score, the greater the chance that the transaction is safe. |
The higher the confidence level, the greater the chance that the transaction is safe. Note: A value of zero (0) represents no confidence. No confidence results in CA SiteMinder® denying access to the requested resource. |
The following example workflow details the inverse relationship between a risk score and a confidence level:
Note: For more information about risk evaluation and scoring rules, see the CA Arcot RiskFort Administration Guide.
(100 - risk score) * 10 = confidence level
In this example, the Adapter converts the risk score to a confidence level using the following algebraic formula:
(100 - 30) * 10 = 700
The higher confidence level is representative of a safe transaction.
You can optionally apply a confidence level to authorization decisions. Consider the following items:
Note: For more information about applying a confidence level to policies and applications, see the Policy Server Configuration Guide.
Follow these steps:
XPSConfig prompts for an option.
XPSConfig prompts for an option.
The ConfidenceLevelSupportEnabled parameter appears.
The pending value of the parameter appears as True.
Confidence level support is enabled.
The following use cases detail how you can integrate CA SiteMinder® with CA Arcot strong authentication and risk evaluation. The use cases begin with a simple integration and progress into more complex scenarios.
The simplest deployment includes integrating the Adapter and all related components with CA SiteMinder®.
The Adapter guides users through the authentication (CA Arcot WebFort) and risk evaluation (CA Arcot RiskFort) processes to apply a risk score during authentication.
Follow these steps:
Note: For more information, see the respective CA Arcot installation and deployment guide.
Note: For more information about installing and configuring the Adapter and all related components, see the CA Arcot Adapter for CA CA SiteMinder® Installation and Configuration Guide.
Note: For more information about the required custom authentication scheme and ACO settings, see the CA Arcot Adapter for CA CA SiteMinder® Installation and Configuration Guide. For more information about configuring an authentication scheme and ACO parameters, see the Policy Server Configuration Guide.
The following diagram illustrates this deployment scenario:
You can configure the Adapter for risk evaluation only by integrating a CA SiteMinder® authentication scheme. A CA SiteMinder® authentication scheme that is part of the integration is known as backing authentication.
If you use a CA SiteMinder® authentication scheme as backing authentication, the Shim acts as an interface between CA SiteMinder® and the CA SiteMinder® authentication scheme.
Note: For more information about backing authentication, see the CA Arcot Adapter for CA CA SiteMinder® Installation and Configuration Guide. Not all CA SiteMinder® authentication schemes are supported for backing authentication. For more information, see the 12.52 CA SiteMinder® Platform Support Matrix.
Follow these steps:
Important! The integration requires that a CA SiteMinder® Custom authentication scheme is configured. The CA SiteMinder® Custom authentication scheme calls the required Adapter library. This library is required even if you are deploying backing authentication.
Note: For more information about user flows and the corresponding parameter values, see the CA Arcot Adapter for CA CA SiteMinder® Installation and Configuration Guide. For more information about configuring a CA SiteMinder® Custom authentication scheme, see the Policy Server Configuration Guide.
Note: For more information about configuring a backing authentication scheme, see the CA Arcot Adapter for CA CA SiteMinder® Installation and Configuration Guide.
The following diagram illustrates this deployment scenario:
You can extend the Policy Server authorization services by adding a confidence level to both access management models.
Adding a confidence level lets you apply the CA Arcot risk analysis results to authorization decisions.
Follow these steps:
Note: For more information about applying a confidence level to policies and applications, see the Policy Server Configuration Guide.
All CA SiteMinder® users to which the integration applies must be made available to the CA Arcot WebFort database.
Contact CA Arcot Support for assistance.
Note: For contact information, see the CA Arcot Adapter for CA CA SiteMinder® Installation and Configuration Guide.
Copyright © 2013 CA.
All rights reserved.
|
|