Authenticate Against CA Single Sign-On Assertion

The Authenticate Against CA Single Sign-On assertion is used to authenticate credentials against the CA Single Sign-On Policy Server.
gateway92
The
Authenticate Against CA Single Sign-On
assertion is used to authenticate credentials against the CA Single Sign-On Policy Server.
For a description of the context variables that this assertion can set or use, see CA Single Sign-On Context Variables.
To learn about selecting the target message for this assertion, see Select a Target Message.
The
Authenticate Against CA Single Sign-On
assertion provides a policy-based approach for interacting with the CA Single Sign-On policy server that is more flexible compared to the existing custom assertion, Authenticate with SiteMinder R12 Protected Resource Assertion. The Authenticate Against CA Single Sign-On assertion also offers advanced features such as caching SSO tokens and multiple authorizations of the token.
Be sure to place the  context variables are set correctly for the authentication assertion.
Using the Assertion
  1. Do one of the following:
    • To add the assertion to the Policy Development window, see Adding an Assertion.
    • To change the configuration of an existing assertion, proceed to step 2 below.
  2. When adding the assertion, the
    Authenticate Against CA Single Sign-On Properties
    automatically appears; when modifying the assertion, right-click
    Authenticate Against CA Single Sign-On [
    <prefix>
    ]
    in the policy window and choose
    Authenticate Against CA Single Sign-On Properties
    or double-click the assertion in the policy window. The properties dialog appears.
  3. Configure the properties as follows:
    Setting
    Description
    CA Single Sign-On Variable Prefix
    Enter a prefix that is added to the context variables created and used by this assertion. This prefix ensures uniqueness and prevents the variables from overwriting each other when multiple instances of this assertion appear in a policy. This field is required.
    For a list of the variables set by this assertion, see  CA Single Sign-On Context Variables.
    Credentials
    Choose where to retrieve the credentials to authenticate:
    • Use Last Credentials:
      Choose this option to use the most recently-collected user credentials of the specified type (under "Supported Credential Types"). This is the default.
    • Specify Credentials:
      Choose this to use the specific credentials entered under "Supported Credential Types".
    See "Understanding the Credential Combinations" at the end of this topic for additional information.
    Supported Credential Types
    Specify the credentials to be used for authentication.
    Note:
    If the Credentials option is "Use Last Credentials", then at least one credential type must be selected, otherwise the assertion fails during policy execution.
    • Username Password:
      Select this option to use basic authentication credentials to authenticate the user. Enter the
      Username
      if you have chosen to specify the credentials. You may reference context variables. This is the default.
    • X509 Certificate:
      Select this option to authenticate a user via a client certificate. Enter the subject name under
      Certificate CN or DN
      if you have chosen to specify the credentials. You may reference context variables.
      The subject name of the X509 certificate can be a fully-specified DN (in which case it is matched exactly) or the CN attribute of a DN (in which case it is matched against just the CN value).
      The X509 Certificate is gathered by the Require SSL or TLS Transport With Client Authentication Assertion. The CN/DN value specified in the "Certificate CN or DN" field is used to match against the existing Trusted certificates on the CA Single Sign-On server.
    See "Understanding the Credential Combinations" at the end of this topic for additional information.
    SSO Token
    The SiteMinder Authentication Assertion receives an SSO token with a default SSOZoneName value 'SM' after the SiteMinder user is authenticated. Select any one of the following options:
    • Create SSO Token:
      Select this option to create an SSO token.
      (Available as of v9.2 CR3)
      • SSO Zone Name:
        Identifies the name of the local zone of an agent. The default name is
        SM
        (Available as of v9.2 CR3)
    • Use SSO Token from Context Variable:
      Select this option to specify a context variable containing the CA Single Sign-On SSO Token, then enter the name of the context variable that contains this token. If you do not want to use the SSO Token for authentication, do not select this option. Collected user credentials are used instead (for example, via the  Require HTTP Basic Credential Assertion).
    • None:
      Select this option if you do not want to create SSO token or use an existing SSO Zone.
      (Available as of v9.2 CR3)
  4. Click [
    OK
    ] when done.
Understanding the Credential Combinations
The Authenticate Against CA Single Sign-On Properties offers multiple combinations of credentials settings for flexibility. Here is a brief explanation of the results of various combinations:
  • If you select "Use Last Credentials" and then select both the "Username Password" and "X.509 Credentials" check boxes, the actual credentials used will depend on the authentication scheme present in the policy:
  • If only HTTP is used, then the X.509 Credentials is ignored.
  • If only client certificate authentication is used, then the Username and Password are ignored.
  • If
    both
    authentication schemes are present in the policy, then the client certification authentication is chosen first, followed by HTTP Basic.
  • If you select "Use Last Credentials" and then fail to select a credential type, then the service policy fails because no credentials are collected.
  • If you select "Specify Credentials" and then select both credential type options, then you must enter the appropriate credentials for the same user, otherwise authentication fails during policy execution.
  • If you select "Specify Credentials" and then fail to select a credential type option, an error is displayed when you try to close the properties.