You use the CA Arcot A–OK Adapter™ (A–OK Adapter) to integrate CA SiteMinder® with the hosted CA Arcot A–OK service.
Note: The integration requires a minimum version of the A–OK Adapter. For more information about the supported version, see the 12.52 CA SiteMinder® Platform Support Matrix.
The purpose of the following diagram is to:
Note: For more information about installing and configuring the A–OK Adapter, see the CA Arcot A–OK Adapter for CA CA SiteMinder® Installation and Configuration Guide.
CA Arcot A–OK assumes authentication services in an integrated environment by guiding users through the authentication and risk evaluation processes. CA Arcot A–OK uses a series of SAML requests and responses to step through the authentication workflow.
Note: For more information about the authentication workflow, see the CA Arcot A–OK Adapter for CA CA SiteMinder® Installation and Configuration Guide.
The result of the risk evaluation is a risk score and corresponding advice, which is a recommend action, such as allow or deny the authentication.
CA Arcot A–OK forwards the advice to the Policy Server, which if necessary, continues with authorization services.
Note: For more information about managing user credentials and configuring the rules associated with the risk evaluation process, see the CA Arcot A–OK User Administration Guide.
The Policy Server maintains authorization services in an integrated environment and can apply the risk score to authorization decisions. The risk score is created during the authentication process.
The Policy Server applies the risk score as a CA SiteMinder® confidence level. A confidence level is based on a risk score, and as such, is also an integer that represents the likelihood that the transaction is safe.
You can apply a confidence level to both access management models:
Note: Applying a confidence level to a policy realm or an application component requires that you enable confidence level support. Using an active policy expression or an application role to apply a confidence level remains supported from previous releases and is enabled by default. For more information about applying a confidence level to policies and applications, see the Policy Server Configuration Guide.
The following example workflow details the relationship between both values and explains how the Policy Server applies a confidence level to authorization decisions:
(100-risk score) * 10 = confidence level
Note: For more information about session tickets, see the Policy Server Configuration Guide.
Note: If the confidence level of the user is less than the confidence level configured in the policy, CA SiteMinder® denies access.
Although a risk score and a confidence level both help ensure that the transaction is safe, there are differences between both values. Consider the following differences when planning for authorization decisions:
CA Arcot Risk Score |
CA SiteMinder® Confidence Level |
---|---|
A numeric scale (0–100) represents a risk score. |
A numeric scale (0–1000) represents a confidence level. |
The lower the risk score, the greater the chance that the transaction is safe. |
The higher the confidence level, the greater the chance that the transaction is safe. Note: A value of zero (0) represents no confidence. No confidence results in CA SiteMinder® denying access to the requested resource. |
The following example workflow details the inverse relationship between a risk score and a confidence level:
Note: For more information about managing user credentials and configuring the rules that are associated with the risk evaluation process, see the CA Arcot A–OK User Administration Guide.
(100 - risk score) * 10 = confidence level
In this example, the A–OK Adapter converts the risk score to a confidence level using the following algebraic formula:
(100 - 30) * 10 = 700
The higher confidence level is representative of a safe transaction.
You can optionally apply a confidence level to authorization decisions. Consider the following items:
Note: For more information about applying a confidence level to policies and applications, see the Policy Server Configuration Guide.
Follow these steps:
XPSConfig prompts for an option.
XPSConfig prompts for an option.
The ConfidenceLevelSupportEnabled parameter appears.
The pending value of the parameter appears as True.
Confidence level support is enabled.
The following use cases detail how you can integrate CA SiteMinder® with CA Arcot A–OK strong authentication and risk evaluation. The use cases begin with a simple integration and progress into more complex scenarios.
The simplest deployment includes integrating the A–OK Adapter and all related components with CA SiteMinder®.
The A–OK Adapter guides users through the authentication and risk evaluation processes to apply a risk score during the authentication process.
Follow these steps:
Note: For more information about installing and configuring the A–OK Adapter and all related components, see the CA Arcot A–OK Adapter for CA CA SiteMinder® Installation and Configuration Guide.
Note: For more information about the required custom authentication scheme, ACO settings, and edits to the Policy Server JVM file, see the CA Arcot A–OK Adapter for CA CA SiteMinder® Installation and Configuration Guide. For more information about configuring an authentication scheme and ACO parameters, see the Policy Server Configuration Guide.
The following diagram illustrates this deployment scenario:
You can extend the Policy Server authorization services by adding a confidence level to both access management models.
Adding a confidence level lets you apply the CA Arcot A–OK risk analysis results to authorization decisions.
Follow these steps:
Note: For more information about applying a confidence level to policies and applications, see the Policy Server Configuration Guide.
All CA SiteMinder® users to which the integration applies must be made available to the CA Arcot A–OK hosted service.
Contact CA Arcot Support for assistance.
Note: For contact information, see the CA Arcot A–OK Adapter for CA CA SiteMinder® Installation and Configuration Guide.
Copyright © 2013 CA.
All rights reserved.
|
|