New Features

The content in this section provides information on new features for .
The content in this section provides information on new features for
CA Single Sign-On
CA Single Sign-On
as OpenID Connect Provider
You can use
CA Single Sign-On
as an OpenID Connect provider using the OpenID Connect 1.0 protocol. The protocol allows clients to verify the identity of the users that are authenticated by the authorization server, and obtain basic profile information.
CA Single Sign-On
12.7 is certified for the OpenID Provider conformance profile. For information, see Certified OpenID Providers.
CA Single Sign-On
authenticates users using Authorization Code Flow that uses code as the response type. For more information, see Configure CA Single Sign-On as OpenID Connect Provider.
A new security category OpenID Connect Administration is added to the Select Security Category page of Administrative UI. The new security category lets you set privileges and rights of an administrator for managing the OpenID Connect feature. For more information about security categories, see Select Security Category.
Response Mode
CA Single Sign-On
Release 12.7.02, you can specify whether the authentication response to redirect_uri must be sent in the form of query parameters or encoded as HTML form values that are sent in POST method. By default, Authorization Code Flow uses
as the response mode. If you want the response in the default format, you need not send this parameter in the authentication request. If you want the response encoded as HTML form values, specify
as the value in the authentication request.
Policy Object REST APIs
CA Single Sign-On
12.7 provides the following new Policy Object REST APIs:
  • Administrative Token API
    – Obtain a JWT token that is required to access the Policy Data API.
  • Policy Data API
    – Create, read, update, and delete objects (including federation entities and partnerships, and certificate services) in the policy store.
  • Policy Import/Export API
    – Export and import specified subsets of the policy data in the policy store.
link at the bottom of the Administrative UI opens the interactive reference documentation.
For more information, see Policy Object REST APIs.
IWA Fallback to Forms Using Authentication Chain
If the primary authentication scheme fails, the authentication process falls back to the secondary authentication scheme. This fallback process helps you combine multiple authentication schemes as a new Authentication Chain. Currently,
CA Single Sign-On
supports only Integrated Windows Authentication (IWA) Fallback to Forms-based authentication scheme.
For more information, see Authentication Chaining.
New Parameter in XPSConfig Utility
A new parameter,
, is introduced in the XPSConfig utility. By changing the value of this parameter to TRUE, you can deny access to the native disabled users at SP side user directory for directories such as CA Directory Server, Microsoft Active Directory Lightweight Directory Services, Oracle Directory Server Enterprise Edition.
Administrative UI Uses Cache for Certificates Management
To avoid the number of calls between Policy Server and Administrative UI for managing certificates, a cache is now maintained at Administrative UI. We recommend that you manage certificates using Administrative UI as the cache is automatically updated when you perform change using Administrative UI.
A new option Get Updates is introduced for synchronizing the certificates information in Administrative UI with the changes available in the certificate store. For more information, see Trusted Certificates and Private Keys.
View Object Dependencies
The object dependencies feature lets you view the list of objects that depend on a specific object in CA Single Sign-On. For example, you can view the list of partnerships that are using a certificate.
For more information, see Object Dependencies.
Kerberos Constrained Delegation
CA Single Sign-On
is upgraded to support Kerberos Constrained Delegation. You can now restrict Web Agent to access a selected list of services on behalf of the user using their delegated credentials.
Support for Configuring GUID Cookie Validity Duration
To manage the AuthnRequest state when the AuthnRequest binding is configured to HTTP-POST, the GUID Cookie Validity Duration (Seconds) parameter is added in the Administrative UI.
For more information, see SSO and SLO Dialog (SAML 2.0 IdP).
Support of Name Qualifier in AuthnRequest
The Name Qualifier query parameter is supported in the AuthnRequest.
Support for Integration of CA Remote Engineer 4.0 with CA Telemetry Service
CA Single Sign-On
supports CA Remote Engineer 4.0 from Release 12.6.02. Remote Engineer provides a mechanism to send metric data to the Telemetry Service. The Telemetry Service is a CA-hosted service that supports the collection and retention of the customer product metric data. For more information, see Integrate CA Remote Engineer with CA Telemetry Service.
New Parameter Added to server.conf
From 12.7.02, a new parameter
is added to the server.conf file of
CA Access Gateway
to manage domain cookie header if the cookie request sent from the host-only backend server does not contain the domain. If you enable the parameter,
CA Access Gateway
uses its domain if the initial host-only set-cookie request does not contain a domain.
Log Client IP in smaccess.log
From 12.7.02, you can log Client IP in smaccess.log for all thick clients. Modify the httpd.conf file to log Client IP too.
For information, see Single Sign-on to Office 365.
New Registry Key
In 12.7.02, the AllowBigCRL registry key is added to let Policy Server quickly retrieve CRLs when the list is huge. You can configure this registry key if a certificate and CRL are issued by the same entity.