Authenticate Against CA Single Sign-On Assertion
The Authenticate Against CA Single Sign-On assertion is used to authenticate credentials against the CA Single Sign-On Policy Server.
Authenticate Against CA Single Sign-Onassertion is used to authenticate credentials against the CA Single Sign-On Policy Server.
For a description of the context variables that this assertion can set or use, see CA Single Sign-On Context Variables.
To learn about selecting the target message for this assertion, see Select a Target Message.
Authenticate Against CA Single Sign-Onassertion provides a policy-based approach for interacting with the CA Single Sign-On policy server that is more flexible compared to the existing custom assertion, Authenticate with SiteMinder R12 Protected Resource Assertion. The Authenticate Against CA Single Sign-On assertion also offers advanced features such as caching SSO tokens and multiple authorizations of the token.
Using the Assertion
- Do one of the following:
- To add the assertion to the Policy Development window, see Adding an Assertion.
- To change the configuration of an existing assertion, proceed to step 2 below.
- When adding the assertion, theAuthenticate Against CA Single Sign-On Propertiesautomatically appears; when modifying the assertion, right-clickAuthenticate Against CA Single Sign-On [in the policy window and choose<prefix>]Authenticate Against CA Single Sign-On Propertiesor double-click the assertion in the policy window. The properties dialog appears.
- Configure the properties as follows:SettingDescriptionCA Single Sign-On Variable PrefixEnter a prefix that is added to the context variables created and used by this assertion. This prefix ensures uniqueness and prevents the variables from overwriting each other when multiple instances of this assertion appear in a policy. This field is required.For a list of the variables set by this assertion, see CA Single Sign-On Context Variables.CredentialsChoose where to retrieve the credentials to authenticate:
Supported Credential TypesSpecify the credentials to be used for authentication.Note:If the Credentials option is "Use Last Credentials", then at least one credential type must be selected, otherwise the assertion fails during policy execution.
- Use Last Credentials:Choose this option to use the most recently-collected user credentials of the specified type (under "Supported Credential Types"). This is the default.
- Specify Credentials:Choose this to use the specific credentials entered under "Supported Credential Types".
SSO TokenThe SiteMinder Authentication Assertion receives an SSO token with a default SSOZoneName value 'SM' after the SiteMinder user is authenticated. Select any one of the following options:
- Username Password:Select this option to use basic authentication credentials to authenticate the user. Enter theUsernameif you have chosen to specify the credentials. You may reference context variables. This is the default.
- X509 Certificate:Select this option to authenticate a user via a client certificate. Enter the subject name underCertificate CN or DNif you have chosen to specify the credentials. You may reference context variables.The subject name of the X509 certificate can be a fully-specified DN (in which case it is matched exactly) or the CN attribute of a DN (in which case it is matched against just the CN value).The X509 Certificate is gathered by the Require SSL or TLS Transport With Client Authentication Assertion. The CN/DN value specified in the "Certificate CN or DN" field is used to match against the existing Trusted certificates on the CA Single Sign-On server.
- JSON Web Token (JWT):Select this option to pass a signed JWT.Note:If you generate a JWT token from other credential sources, ensure that the plain JWT with JWT CA SSO specific mandatory claims is created. You cannot combine JWT with any other authentication types.
- Create SSO Token:Select this option to create an SSO token.
- SSO Zone Name:Identifies the name of the local zone of an agent. The default name isSM.
- Use SSO Token from Context Variable:Select this option to specify a context variable containing the CA Single Sign-On SSO Token, then enter the name of the context variable that contains this token. If you do not want to use the SSO Token for authentication, do not select this option. Collected user credentials are used instead (for example, via the Require HTTP Basic Credential Assertion).
- None:Select this option if you do not want to create SSO token or use an existing SSO Zone.
- Click [OK] when done.
Understanding the Credential Combinations
The Authenticate Against CA Single Sign-On Properties offers multiple combinations of credentials settings for flexibility. Here is a brief explanation of the results of various combinations:
- If you select "Use Last Credentials" and then select both the "Username Password" and "X.509 Credentials" check boxes, the actual credentials used will depend on the authentication scheme present in the policy:
- If only HTTP is used, then the X.509 Credentials is ignored.
- If only client certificate authentication is used, then the Username and Password are ignored.
- Ifbothauthentication schemes are present in the policy, then the client certification authentication is chosen first, followed by HTTP Basic.
- If you select "Use Last Credentials" and then fail to select a credential type, then the service policy fails because no credentials are collected.
- If you select "Specify Credentials" and then select both credential type options, then you must enter the appropriate credentials for the same user, otherwise authentication fails during policy execution.
- If you select "Specify Credentials" and then fail to select a credential type option, an error is displayed when you try to close the properties.