CA Single Sign-On Integration
When integrates with CA Single Sign-On (CA SSO, formerly known as CA SiteMinder), CA SSO adds the following functionality to a environment:
When sharing a User Store between Identity Manager and SiteMinder (CA SSO), the Password Services of each product maintains a User’s password history data
in the same User attributeand encrypts the data using
Enabling the Identity Manager integration with SiteMinder delegates
allPassword Services to SiteMinder, including reading and writing the password history of Users. Toggling the integration on or off can lead to lost password history due to the use of different encryption keys by each product.
Identity Managerintegrates with CA Single Sign-On (CA SSO, formerly known as CA SiteMinder), CA SSO adds the following functionality to a
- Advanced AuthenticationBy default,Identity Managerincludes native authentication for its environments. An administrator enters a valid user name and password to log in to aIdentity Managerenvironment. The user name and password are authenticated against the user store thatIdentity Managermanages.WhenIdentity Managerintegrates with CA SSO, CA SSO basic authentication is used to protect the environment. When you create aIdentity Managerenvironment, a policy domain and an authentication scheme are created in CA SSO to protect that environment. With this integration, you can also use CA SSO authentication to protect the Management Console.
- Directory MappingAn administrator possibly manages users whose profiles exist in a different user store from the one that is used for authenticating the administrator. An identity manager administrator log in authentication is checked using one directory, and a different directory is used to authorize if an administrator can manage users.WhenIdentity Managerintegrates with CA SSO, you can configure aIdentity Managerenvironment to use different directories for authentication and authorization.
- Locale Preferences for a Localized EnvironmentWhenIdentity Managerintegrates with CA SSO, you can define locale preference for a user using animlanguageHTTP header. In the CA SSO Policy Server, you set this header within a CA SSO response and specify a user attribute as value of the header. Theimlanguageheader acts as the highest priority locale preference for a user.Note:For more information, see User Console Design.
How Resources are Protected
Advanced authentication requires you to use a CA SSO Policy Server in your implementation. The application server hosting the
Identity Managerserver is on a different operating environment from Web Server. To provide forwarding services, the Web Server requires,
- An application server vendor provided plug-in.
- A CA SSO agent to protect theIdentity Managerresources, such as the User Console, Self Registration, and the Forgotten Password feature.
The Web Agent controls the access of users who request
Identity Managerresources. Once the users are authenticated and authorized, the Web Agent allows the Web Server to process the requests.
When the Web Server receives the request, the application server plug-in forwards it to the application server hosting the
The Web Agent protects
Identity Managerresources that are exposed to users and administrators.