Previous Topic: CA Arcot WebFort and RiskFortNext Topic: CA DataMinder Content Classification Service


CA Arcot A-OK

You use the CA Arcot A–OK Adapter (A–OK Adapter) to integrate CA SiteMinder® with the hosted CA Arcot A–OK service.

Note: The integration requires a minimum version of the A–OK Adapter. For more information about the supported version, see the 12.52 CA SiteMinder® Platform Support Matrix.

The purpose of the following diagram is to:

Note: For more information about installing and configuring the A–OK Adapter, see the CA Arcot A–OK Adapter for CA CA SiteMinder® Installation and Configuration Guide.

Graphic showing the CA SiteMinder and CA Arcot A-OK integration architecture

Authentication in a Hosted CA Arcot Integration

CA Arcot A–OK assumes authentication services in an integrated environment by guiding users through the authentication and risk evaluation processes. CA Arcot A–OK uses a series of SAML requests and responses to step through the authentication workflow.

Note: For more information about the authentication workflow, see the CA Arcot A–OK Adapter for CA CA SiteMinder® Installation and Configuration Guide.

The result of the risk evaluation is a risk score and corresponding advice, which is a recommend action, such as allow or deny the authentication.

CA Arcot A–OK forwards the advice to the Policy Server, which if necessary, continues with authorization services.

Note: For more information about managing user credentials and configuring the rules associated with the risk evaluation process, see the CA Arcot A–OK User Administration Guide.

Confidence Levels and CA SiteMinder® Authorization

The Policy Server maintains authorization services in an integrated environment and can apply the risk score to authorization decisions. The risk score is created during the authentication process.

The Policy Server applies the risk score as a CA SiteMinder® confidence level. A confidence level is based on a risk score, and as such, is also an integer that represents the likelihood that the transaction is safe.

You can apply a confidence level to both access management models:

Note: Applying a confidence level to a policy realm or an application component requires that you enable confidence level support. Using an active policy expression or an application role to apply a confidence level remains supported from previous releases and is enabled by default. For more information about applying a confidence level to policies and applications, see the Policy Server Configuration Guide.

The following example workflow details the relationship between both values and explains how the Policy Server applies a confidence level to authorization decisions:

  1. After the user is successfully authenticated, the A–OK Adapter converts the risk score to a confidence level using the following algebraic formula:
    (100-risk score) * 10 = confidence level
    
  2. The A–OK Adapter inserts the confidence level into the CA SiteMinder® session ticket.

    Note: For more information about session tickets, see the Policy Server Configuration Guide.

  3. As the user requests protected resources, the Policy Server compares the confidence level in the session ticket to the confidence level configured in the policy or application.
  4. The following actions can occur:

More information:

Locate the Bookshelf

Risk Scores and Confidence Levels Compared

Although a risk score and a confidence level both help ensure that the transaction is safe, there are differences between both values. Consider the following differences when planning for authorization decisions:

CA Arcot Risk Score

CA SiteMinder® Confidence Level

A numeric scale (0–100) represents a risk score.

A numeric scale (0–1000) represents a confidence level.

The lower the risk score, the greater the chance that the transaction is safe.

The higher the confidence level, the greater the chance that the transaction is safe.

Note: A value of zero (0) represents no confidence. No confidence results in CA SiteMinder® denying access to the requested resource.

The following example workflow details the inverse relationship between a risk score and a confidence level:

  1. A user requests a CA SiteMinder® protected resource and is forwarded to CA Arcot A–OK for authentication.
  2. The A–OK Adapter guides the user through authentication and risk analysis. Based on the CA Arcot A–OK evaluation and scoring rules, the user is authenticated with a risk score of 30. The lower risk score is representative of a safe transaction.

    Note: For more information about managing user credentials and configuring the rules that are associated with the risk evaluation process, see the CA Arcot A–OK User Administration Guide.

  3. The A–OK Adapter:
    1. Forwards the authentication decision to the Policy Server.
    2. Converts the risk score to a confidence level using the following algebraic formula:
      (100 - risk score) * 10 = confidence level
      

      In this example, the A–OK Adapter converts the risk score to a confidence level using the following algebraic formula:

      (100 - 30) * 10 = 700
      

      The higher confidence level is representative of a safe transaction.

  4. The A–OK Adapter inserts the confidence level into the session ticket of the user.
  5. The user requests a resource protected by a policy or an application that requires a confidence level of at least 700.
  6. The Policy Server grants access to the resource.

Enable Confidence Level Support

You can optionally apply a confidence level to authorization decisions. Consider the following items:

Follow these steps:

  1. Log in to any Policy Server host system in the CA SiteMinder® environment.
  2. Start the XPSConfig utility.

    XPSConfig prompts for an option.

  3. Enter SM and press Enter.

    XPSConfig prompts for an option.

  4. Enter 11 and press Enter.

    The ConfidenceLevelSupportEnabled parameter appears.

  5. Enter C and press Enter.

    The pending value of the parameter appears as True.

  6. Quit the XPSConfig utility.
  7. Restart the Policy Server.

    Confidence level support is enabled.

CA Arcot A-OK Integration Use Cases

The following use cases detail how you can integrate CA SiteMinder® with CA Arcot A–OK strong authentication and risk evaluation. The use cases begin with a simple integration and progress into more complex scenarios.

CA Arcot A–OK Authentication and Risk Analysis

The simplest deployment includes integrating the A–OK Adapter and all related components with CA SiteMinder®.

The A–OK Adapter guides users through the authentication and risk evaluation processes to apply a risk score during the authentication process.

Follow these steps:

  1. Be sure that the CA Arcot A–OK service is available.
  2. Install and deploy the A–OK Adapter and all related components. These components include a set of Forms Credential Collector files. These files let you use the A–OK Adapter HTML forms authentication scheme to gather user credentials.

    Note: For more information about installing and configuring the A–OK Adapter and all related components, see the CA Arcot A–OK Adapter for CA CA SiteMinder® Installation and Configuration Guide.

  3. Complete the following steps:
    1. Configure a CA SiteMinder® Custom authentication scheme to call the A–OK Adapter library.
    2. Determine which Web Agents are included in the CA Arcot A–OK integration. Configure the respective Agent Configuration Objects (ACO) to support the integration.
    3. Add the A–OK Adapter JAR files, certificates, and properties files to the Java Virtual Machine (JVM) file (JVMOptions.txt) of the Policy Server.

    Note: For more information about the required custom authentication scheme, ACO settings, and edits to the Policy Server JVM file, see the CA Arcot A–OK Adapter for CA CA SiteMinder® Installation and Configuration Guide. For more information about configuring an authentication scheme and ACO parameters, see the Policy Server Configuration Guide.

The following diagram illustrates this deployment scenario:

Graphic showing a deployment of CA Arcot A-OK for authentication and risk analysis

More information:

Locate the Bookshelf

CA SiteMinder® Authorization and Confidence Levels

You can extend the Policy Server authorization services by adding a confidence level to both access management models.

Adding a confidence level lets you apply the CA Arcot A–OK risk analysis results to authorization decisions.

Follow these steps:

  1. Complete the steps in CA Arcot A–OK Authentication and Risk Analysis.
  2. (Optional) If you plan on applying a confidence level to a policy realm or an application component, enable confidence level support. Using an active policy expression or an application role to apply a confidence level remains supported from previous releases and is enabled by default.
  3. Complete one of the following steps:

More information:

Locate the Bookshelf

Policy Management Models

User Store Considerations

All CA SiteMinder® users to which the integration applies must be made available to the CA Arcot A–OK hosted service.

Contact CA Arcot Support for assistance.

Note: For contact information, see the CA Arcot A–OK Adapter for CA CA SiteMinder® Installation and Configuration Guide.