CA API Gateway 9.1

9.4 9.1

Authenticate Against CA Single Sign-On Assertion

The Authenticate Against CA Single Sign-On assertion is used to authenticate credentials against the CA Single Sign-On Policy Server.
gateway83
The
Authenticate Against CA Single Sign-On
assertion is used to authenticate credentials against the CA Single Sign-On Policy Server.
For a description of the context variables that this assertion can set or use, see Context Variables for CA Single Sign-On.
To learn about selecting the target message for this assertion, see Selecting a Target Message.
The
Authenticate Against CA Single Sign-On
assertion provides a policy-based approach for interacting with the CA Single Sign-On policy server that is more flexible compared to the existing custom assertion, Authenticate with SiteMinder R12 Protected Resource Assertion. The Authenticate Against CA Single Sign-On assertion also offers advanced features such as caching SSO tokens and multiple authorizations of the token.
Be sure to place the Check Protected Resource Against CA Single Sign-On Assertion before the Authenticate Against CA Single Sign-On assertion in a policy. This ensures that the necessary context variables are set correctly for the authentication assertion.
Using the Assertion
  1. Do one of the following:
    • To add the assertion to the Policy Development window, see Adding an Assertion.
    • To change the configuration of an existing assertion, proceed to step 2 below.
  2. When adding the assertion, the
    Authenticate Against CA Single Sign-On Properties
    automatically appears; when modifying the assertion, right-click
    Authenticate Against CA Single Sign-On [
    <prefix>
    ]
    in the policy window and choose
    Authenticate Against CA Single Sign-On Properties
     or double-click the assertion in the policy window. The properties dialog appears.
     
  3. Configure the properties as follows:
    Setting
    Description
    CA Single Sign-On Variable Prefix
    Enter a prefix that will be added to the context variables created and used by this assertion. This prefix will ensure uniqueness and will prevent the variables from overwriting each other when multiple instances of this assertion appear in a policy.This field is required.
    For a list of the variables set by this assertion, see Context Variables for CA Single Sign-On.
    Credentials
    Choose where to retrieve the credentials to authenticate:
    • Use Last Credentials:
       Choose this option to use the most recently-collected user credentials of the specified type (under "Supported Credential Types"). This is the default.
    • Specify Credentials:
       Choose this to use the specific credentials entered under "Supported Credential Types".
    See "Understanding the Credential Combinations" below for additional information.
    Supported Credential Types
    Specify the credentials to be used for authentication. Note: If the Credentials option is "Use Last Credentials", then at least one credential type must be selected, otherwise the assertion will fail during policy execution.
    • Username Password:
       Select this option to use basic authentication credentials to authenticate the user. Enter the
      Username
       if you have chosen to specify the credentials. You may reference context variables. This is the default.
    • X509 Certificate:
       Select this option to authenticate a user via a client certificate. Enter the subject name under
      Certificate CN or DN
       if you have chosen to specify the credentials. You may reference context variables.
      The subject name of the X509 certificate can be a fully-specified DN (in which case it is matched exactly) or the CN attribute of a DN (in which case it is matched against just the CN value).
      The X509 Certificate is gathered by the Require SSL or TLS Transport With Client Authentication Assertion. The CN/DN value specified in the "Certificate CN or DN" field is used to match against the existing Trusted certificates on the CA Single Sign-On server.
    See "Understanding the Credential Combinations" below for additional information.
    Use SSO Token from Context Variable
    • Select this check box to specify a context variable containing the CA Single Sign-On SSO Token, then enter the name of the context variable that will contain this token.
    • Clear this check box to not use the SSO Token for authentication. Collected user credentials will be used instead (for example, via the Require HTTP Basic Credentials assertion).
    Understanding the Credential Combinations
    The Authenticate Against CA Single Sign-On Properties offers multiple combinations of credentials settings for flexibility. Here is a brief explanation of the results of various combinations:
    • If you select "Use Last Credentials" and then select both the "Username Password" and "X.509 Credentials" check boxes, the actual credentials used will depend on the authentication scheme present in the policy:
    • If only HTTP is used, then the X.509 Credentials is ignored.
    • If only client certificate authentication is used, then the Username and Password are ignored.
    • If
      both
       authentication schemes are present in the policy, then the client certification authentication is chosen first, followed by HTTP Basic.
    • If you select "Use Last Credentials" and then fail to select a credential type, then the service policy will fail because no credentials are collected.
    • If you select "Specify Credentials" and then select both credential type options, then you must enter the appropriate credentials for the same user, otherwise authentication will fail during policy execution.
    • If you select "Specify Credentials" and then fail to select a credential type option, an error will be displayed when you try to close the properties.
  4. Click [
    OK
    ] when done.

Content feedback and comments