How to Log into CA Identity Portal via CA SSO with Radius Authentication Scheme

Document ID : KB000010516
Last Modified Date : 05/10/2018
Show Technical Document Details
Introduction:

The customer needs to use Radius Authentication Scheme instead of HTML Form with CA SSO (Aka CA SiteMinder).

CA Identity Suite documentation customer is guided to Switch the CA SSO Authentication Scheme Type to the HTML Form Template.

How can the customer do this?

 

Background:

This is documented in the wiki:

Switch the CA SSO Authentication Scheme Type to HTML Form Template :

 https://docops.ca.com/ca-identity-suite/14-0/EN/ca-identity-suite-virtual-appliance/integrating-ca-identity-manager-with-ca-single-sign-on-using-ca-identity-suite-virtual-appliance#IntegratingCAIdentityManagerwithCASingleSign-OnusingCAIdentitySuiteVirtualAppliance-SwitchtheCASSOAuthenticationSchemeTypetoHTMLFormTemplate

VApp 14.0.x is Working as Designed. 

Identity Portal uses the Wildfly, built -n security to allow access to the Portal Admin user interface. 

When sending basic auth credentials to the Portal wildfly, the application server always tries to validate these credentials against its internal file based user repository (where only the Portal Admin user is configured). 

This behavior cannot be changed in the the Portal.

Environment:
CA SSO 12.52 SP2 in Windows Server 2012R2 CA SSO WebAgent 12.52SP1 Apache Web Server
Instructions:

To allow end users to log into the CA Identity Portal via CA SSO with Radius Authentication 

(with basic authentication popup in a web browser) there is a workaround.

You will need to involve a SSO Administrator to accomplish this configuration. 

Set up a “Portal Radius Redirect page” on the CA SSO web agent, and then direct end users to browse to it. The page automatically redirect the users to the Portal after a successful login with Radius. This redirect page receives the basic auth headers.  Ignore the headers and redirect the user to the Portal page without the headers. 

Here are the highlights of a setup used to achieve this configuration: 

1. Under the CA SSO domain protecting the Portal realm, define a new Realm (/Radius) for Radius authentication. 

2. Update Portal Domain Policy to have a new rule for the Radius Realm. 

3. Create an HTML page to act as an auto redirect (portal.html) – you would need to change the redirect URLs to fit your environment. 

For example : 

 

<!DOCTYPE HTML> 

<html lang="en-US"> 

<head> 

<meta charset="UTF-8"> 

<meta http-equiv="refresh" content="1; url=https://sso126.ca.com/sigma/"> 

<script type="text/javascript"> 

window.location.href= "https://sso126.ca.com/sigma/" 

</script> 

<title>Page Redirection </title> 

</head> 

<body> 

<!-- Note: link to Identity Portal.--> 

Radius Authentication Success - Redirecting to Identity Portal 

If you are not Redirected Automatically, follow this <a href='https://sso126.ca.com/sigma/'>Identity Portal</a>. 

</body> 

</html> 

 

 

Additional Information:

Integrating CA Identity Manager with CA Single Sign-On using CA Identity Suite Virtual Appliance :

https://docops.ca.com/ca-identity-suite/14-0/EN/ca-identity-suite-virtual-appliance/integrating-ca-identity-manager-with-ca-single-sign-on-using-ca-identity-suite-virtual-appliance#IntegratingCAIdentityManagerwithCASingleSign-OnusingCAIdentitySuiteVirtualAppliance-SwitchtheCASSOAuthenticationSchemeTypetoHTMLFormTemplate

 

https://docops.ca.com/ca-identity-suite/14-0/EN