Configure Advanced Authentication Settings
CA Identity Portal provides an integration with CA Advanced Authentication. The integration offers several capabilities:
cis143
CA Identity Portal provides an integration with CA Advanced Authentication. The integration offers several capabilities:
- Users can request access for themselves or for other users for 2nd factor authenticators.
- Once a user has been granted with the 2nd factor authenticator, he can issue (register) the authenticator from CA Identity Portal. For example, if a user has been granted with the QnA authenticator, he can register his Questions and Answers through CA Identity Portal.
- CA Identity Portal administrator can define that several operation within CA Identity Portal will require 2nd factor authentication. These operations include:
- Access Request Permissions.
- Module Actions.
- Login
- Activation/Registration of an authenticator – This capability is intended to protect the process of registration by requesting a strong authenticator.
When a user selects one of these elements that require 2nd factor, he will be challenged to authenticate using one of his active 2nd factor authenticators.
All second factor authenticators are equal in their precedence, therefor authenticating through one type of second factor is equal in strength as authenticating with another. Once a user has authenticated using his 2nd factor authenticator, he will not be requested to use that authenticator again throughout his session.
Pre-requisite:
- CA Advanced Authentication solution deployed
- CA Advanced Authentication connector in CA Identity Portal configured; See Connectors for more information.
- Verify that Second Factor is enabled underGeneral Configuration.
Enable Second Factor on Login
Use this functionality to request a 2nd factor authentication immediately after a user logins to the system.
Verify that the option
Require Second Factor On Login
is selected under General Configurations
.Create Authenticators
There are four types of available authenticators from CA Advanced Authentication: ArcotID PKI, OTP, QNA, User Password.
Follow these steps:
:- Navigate to the Admin UI.
- ClickElements,Authenticators,Create.
- Specify a name for the authenticator.The Tag value is populated automatically.
- Select the Advanced Authentication connector.
- Select the type of authenticator.
- If second factor is required for the activation of this authenticator, then selectRequire Second Factor for activating this Authenticator.
- ClickCreate.The authenticator is created..
Note:
Arcot ID authenticator requires 3 files from the Arcot server to be placed in the CA Identity Portal resources folder under a sub folder called: ARCOT. The 3 files are: arcotclient.js and ArcotIDClient.swf and ArcotApplet.jar. The JAR and SWF files can be fetched from the Arcot sample application under the \webfort-7.1.01-sample-application\client folder. The javascript file can be located in the Arcot sample application under the \webfort-7.1.01-sample-application\javascript folder.In order to request for authenticators they need to be added as target permissions and mapped to the entitlements tree. To configure a target permission, select the CA Advanced Authentication connector from the connectors list and select the desired authenticator in the "name" field. In the rules section of the target permission, check the box next to the desired form functions (for example, add and remove). You do not need to configure or select a form.
Create Authentication Rules
If it is required that the end user enters a second factor authentication while requesting for access, it can be defined as an authentication rule.
Follow these steps:
- Navigate to the Admin UI.
- ClickElements,Authentication Rules,Create.
- Give the rule a nameThe Tag value is populated automatically.
- Click theApply Ontab.
- Select the conditions when you want Second Factor.
- Select the condition for the logged in user.Default:Always
- Select the permissions or modules actions on which you would like second factor to be used.
- ClickCreate.The authentication rule is created..