Strong Authentication-Credentials Selector

The Credentials Selector is a strong authentication solution. The Credentials Selector enables users to select the type of authentication credentials necessary to access protected resources. Based on the user authentication context, the Policy Server can make authorization decisions and then generate user responses in the same single sign-on environment.
sm1252sp1
The Credentials Selector is a strong authentication solution. The Credentials Selector enables users to select the type of authentication credentials necessary to access protected resources. Based on the user authentication context, the Policy Server can make authorization decisions and then generate user responses in the same single sign-on environment.
The Credentials Selector functionality is implemented as a standalone component, which any CA Single Sign-On-protected application can use.
Credentials Selector Use Case
In this use case, the user is given a choice of different credentials to obtain different levels of access when they request access to a protected resource. When the user requests a protected sample application, the user is presented with a login dialog that allows the user to select one of the following types of authentication:
  • Password And/Or Certificate authentication
  • Windows authentication
  • SecureID authentication
  • SafeWord authentication
Each login button on the dialog submits different credentials. The user experience depends on the type of credentials that they provide. After the user is successfully authenticated and authorized, the user is permitted access to the sample application, which displays a greeting that informs them of their authentication level and the type of authentication scheme they used to log in.
Request Access with Password And Or Certificate Authentication
In the Password And/Or Certificate section of the login dialog, the user can select  one of the following combinations of credentials to provide:
  • Username and Password only entered in an HTML form
  • X.509 client certificate only
  • Username/Password and X.509 client certificate
If the user provides only their valid username and password, the following message is displayed:
Greetings, SampleUser! Your authentication level is 5 You have used username/password authentication
If the user selects only the X.509 client certificate check box, they are prompted to select one of the client certificates that are configured with the browser. If the Policy Server recognizes the certificate, the following message is displayed:
Greetings, SampleUser! Your authentication level is 10. You have used X.509 client certificate authentication
The Password And/Or Certificate option offers the flexibility of providing a different authentication level depending on the credentials the user provides. The X.509 Cert Or Form authentication scheme, which can seem similar to the Password And/Or Certificate option, does not distinguish between the types of credentials that the user provides. The protection level is therefore the same regardless of what credentials the user provides.
If both Username and Password are provided and the X.509 client certificate check box is marked, the user is prompted for a client certificate. If the Policy Server recognizes the certificate and the certificate matches the username that the user provides, the following message is displayed:
Greetings, SampleUser! Your authentication level is 15 You have used X.509 client certificate and username/password authentication
Request Access with Windows Authentication
If the user is logged in to a Windows domain when they request a protected resource, the following message is displayed:
Greetings, SampleUser! Your authentication level is 5 You have used the Windows domain authentication
If the user is not logged in to a Windows domain, the user is prompted for their Windows domain credentials.
Request Access with SecurID Authentication
If the user provides a valid Username and SecurID PIN for SecurID authentication when they request a protected resource, the following message is displayed:
Greetings, SampleUser! Your authentication level is 20 You have used the SecurID authentication
Request Access with SafeWord Authentication
If the user provides only their username for SafeWord authentication, a two-step process occurs. 
CA Single Sign-On
 passes the username to the SafeWord server and the server determines the credentials for which it challenges the user. SafeWord supports up to four authenticators per login. The authenticators can be fixed (using a password) or dynamic (using a token card pin).
Upon successful access, the following message is displayed:
Greetings, SampleUser! Your authentication level is 20 You have used the SafeWord authentication
Credentials Selector Solution for the Use Case
To set up the Credentials Selector for this use case, configure the following components:
  • The Forms Credential Collector (FCC) used by the front-end authentication scheme to render the login dialog that is presented to the user when they request the protected sample application. A sample FCC named selectlogin.fcc is supplied with the Web Agent installation.
  • In the Administrative UI:
    • A front-end authentication scheme that is exposed to applications that use the Credentials Selector.
    • Several back-end authentication schemes, one for each type of credentials that the user can select . Back-end processing refers to functions only the Credentials Selector interacts with. The end user is not aware of these functions.
    • A specially configured policy domain, which includes a realm, rule, responses, and a policy, that represents the Credential Selector back-end processing.
  • A Web Agent that serves as the entry point for the policy domain representing the back-end processing.
  • A sample application that uses the front-end authentication scheme. For this use case, the sample application presents a greeting message to the user. This message changes depending on the credentials the user chooses when logging in.