Does CA SDM support two factor authentication (2FA)?

Document ID : KB000124853
Last Modified Date : 17/01/2019
Show Technical Document Details
Question:
We wish to implement two factor authentication (2FA) for our users.

Does CA Service Desk Manager/ITSM 17 support OAuth 2.0?

Can it support authentication using Office 365 or Azure Active Directory?
Answer:
No current version of CA Service Desk Manager/ITSM has two factor authentication (2FA) built in to the web client interface.

A third party load balancer, such as an F5 hardware load balancer, can provide the two factor authentication out front, and then pass through to the normal CA SDM authentication channels. This external load balancer configuration is out of scope for CA Support to advise on. 

You may build two factor authentication interfaces onto the front end of Web Services if that is required - it is not out of the box though. 

Note that many users would prefer that Single Sign On (SSO) as the standard authentication channel for the ease of use.
Good security can be maintained via the use of TLS.
CA SDM/ITSM supports SSO and TLS.
Configuring Single-Sign-On (SSO) for Internet Information Server (IIS) 8.0 and CA Service Desk Manager (CA SDM) r12.9/14.1/17.x
How to Enable TLS 1.2 with CA EEM 12.6

CA Advanced Authentication (https://docops.ca.com/ca-advanced-authentication/9-0/en) provides two factor authentication for CA products, but there are no explicit references to CA SDM/ITSM in that product documentation. At the time of this knowledge document, it is unclear if it provides any solution for CA SDM.

Active Directory is supported for CA SDM as an authentication method. 
You would configure "External Authentication" to point to this source: 
https://docops.ca.com/ca-service-management/17-1/en/administering/configure-ca-service-desk-manager/setting-up-security/user-authentication#UserAuthentication-ExternalAuthentication 

Azure Active Directory is not on our SDM Supportability Matrix: 
https://docops.ca.com/ca-service-management/17-1/en/ca-service-management-17-1-release-notes/supportability-matrix 
It "might work" - but it is up to the site to manage and own this, as CA have not certified it. 

The only component from Office 365 that is relevant to CA SDM is the mail component. 
It can be connected as follows: 
https://docops.ca.com/ca-service-management/17-1/en/administering/configure-ca-service-desk-manager/how-to-configure-the-mailbox-to-handle-inbound-emails/connecting-maileater-to-office-365-mail 

OAuth 2.0 is a standard for open authentication, which is not directly referenced in the CA SDM product documentation.

The CA Communities can be used to put through an Idea (enhancement request) to have 2FA or Azure support added. 
Or to discuss with other sites how they have implemented 2FA. 
See https://communities.ca.com/community/ca-service-management
Additional Information:
CA Documentation
Enable SAML Authentication for CA SDM
Single Sign On (SSO) works for some CA Service Desk Manager (CA SDM) users, but does not for others


General Documentation on OAuth
https://oauth.net/2/
What is OAuth? How the open authorization framework works
https://en.wikipedia.org/wiki/OAuth


General Azure Documentation
Azure Active Directory - Home page

General 2FA/Multi-Factor Authentication Documenation
https://en.wikipedia.org/wiki/Multi-factor_authentication