We are integrating the Identity Suite with CA SSO. We are looking for some advice on how to best protect the ID Suite Admin console such that it is not accessible from the internet. Once we protect the Admin Portal w/ SSO, this will make it so that anyone with knowledge of the Admin portal URL and admin/password can log in and potentially cause harm through the Admin Portal. We would want to protect the User Portal with SSO, and leave the Admin Portal with native authentication.
Reading: https://docops.ca.com/ca-identity-suite/14-1/EN/integrating/protecting-ca-identity-portal-with-ca-single-sign-on#ProtectingCAIdentityPortalwithCASingleSign-On-AddRealmstoCAIdentityPortalDomain We find this statement: CA SSO Login Page URLs To access the Identity Portal using CA SSO, users should browse to the following CA SSO protected address: /sigma/ if you look at the Realm s config section it asks you to start with the parent resource. unlike IM where the protection is based on /im//* the protection with portal starts at the base /sigma/ then you set sub Realms either protected or unprotected. but we do not document the resources associated with the admin console and differentiate from the user console, probably because of shared resources, such as the logout url and functionality. The protection is all or nothing, you could try to create sub Realm and set it to not protected, but this is not documented and not certified. Basically we have not tried it yet.