SlideShare a Scribd company logo
1 of 75
Download to read offline
ca Securecenter 
Leveraging New Features in CA Single Sign-On to 
Enable Web Services, Social Sign–On and 
Enhanced Session Security 
Tim Hobbs, Advisor 
SCX19E #CAWorld 
Product Management 
CA Technologies 
*formerly CA SiteMinder
2 
© 2014 CA. ALL RIGHTS RESERVED. 
Abstract 
CA Single Sign-On (CA SSO) is constantly evolving, incorporating the latest technologies in secure web access management. In order to stay secure and competitive, CA SSO makes greater use of the CA Access Gateway (formerly CA SiteMinder® Secure Proxy Server). 
Tim Hobbs 
CA Technologies 
Advisor, Product Management
3 
© 2014 CA. ALL RIGHTS RESERVED. 
Agenda 
USING THE CA ACCESS GATEWAY 
SOCIAL SIGN-ON 
OPEN FORMAT COOKIE 
WEB SERVICES (SOAP AND REST API) 
ENHANCED SESSION ASSURANCE WITH DEVICEDNA™ 
1 
2 
3 
4 
5
CA Access Gateway 
*formerly CA SiteMinder® Secure Proxy Server
5 
© 2014 CA. ALL RIGHTS RESERVED. 
CA Access Gateway Overview 
Browser 
Web Server 
with CA SSO Agent 
CA SSO Policy Server 
Agent Focused 
User Directories 
CA SSO Policy Store
6 
© 2014 CA. ALL RIGHTS RESERVED. 
CA Access Gateway Overview 
Browser 
CA Access Gateway 
CA SSO Policy Server 
Web Servers 
Proxy Focused 
Web Services APIs 
User Directories 
CA SSO Policy Store
7 
© 2014 CA. ALL RIGHTS RESERVED. 
CA Access Gateway Overview 
Any (and multiple) back-end web servers 
Login, federation, password service pages 
Session management options for mobile devices 
Significantly reduces the TCO 
Users 
•Employees 
•Mobile employees 
•Partners 
•Customers 
CA Access Gateway 
DestinationServers 
CA SSO 
Policy Server
8 
© 2014 CA. ALL RIGHTS RESERVED. 
CA Access Gateway Product Features 
Access control for HTTP and HTTPS requests 
Single sign-on 
Multiple session schemes 
Session storage 
Cookie-less single sign-on 
Intelligent proxy rules 
Centralized access control management 
Enterprise class architecture
9 
© 2014 CA. ALL RIGHTS RESERVED. 
Expanded Support For SSO And Access ManagementOverview 
Feature 
Description 
WebDAV 
CAAccess Gatewaycan control access to content that is accessed via the WebDAV protocol that is an extension of HTTP 
Session Linker 
For securing single sign-on to ERP environments 
Supportfor ASAs 
CA Access Gateway can be used in place of a CA Single Sign-On Web Agent as the web tier in front of a CA Single Sign-On ASA agent 
IntegratedWindows Authentication 
Supportfor IWA to access applications on servers behind CA Access Gateway 
Enhanced proxy rules 
Enhanced rules to support new conditions based on cookie existence, cookie value, and header existence
10 
© 2014 CA. ALL RIGHTS RESERVED. 
Proxy Rules Overview 
Forward requests based on: 
URI 
Virtual host name 
Header values (standard or created by CA SSO response) 
Device type 
File extension 
Cookie existence/cookie value 
Regular expressions and nested conditions in proxy rules
11 
© 2014 CA. ALL RIGHTS RESERVED. 
Proxy RulesUse Case
12 
© 2014 CA. ALL RIGHTS RESERVED. 
Proxy RulesExample
13 
© 2014 CA. ALL RIGHTS RESERVED. 
Improved Management For Lower TCOOverview 
Feature 
Description 
Manage multiple instances 
Canconfigure multiple CA Access Gateway hosts at the same time 
Multiple instances on single hardware platform 
Making it possible to separate user groups or application access across CA Access Gateway instances without increasing hardware costs 
CA Application Performance Management* support 
CA Access Gateway has beeninstrumented to provide performance data to the application performance tool 
Agentdiscovery 
CA Access Gateway instances are uniquely identified in the CA Single Sign-On agent discovery administrative UI for ease of management 
Administrative UI for configuration 
Administrative UI for configuring proxy rules, virtual hosts, proxy service settings, session store and session scheme settings, federation settings 
*formerly CA Wily Introscope®
14 
© 2014 CA. ALL RIGHTS RESERVED. 
Improved Management for Lower TCOAdministrative UI
15 
© 2014 CA. ALL RIGHTS RESERVED. 
Capabilities introduced with SPS r12.5 
Improved Management for Lower TCOAdministrative UI
16 
© 2014 CA. ALL RIGHTS RESERVED. 
Improved Management for Lower TCOAdministrative UI
17 
© 2014 CA. ALL RIGHTS RESERVED. 
Improved Management for Lower TCOAdministrative UI
18 
© 2014 CA. ALL RIGHTS RESERVED. 
Improved Management for Lower TCOAdministrative UI
19 
© 2014 CA. ALL RIGHTS RESERVED. 
Improved Management for Lower TCOAdministrative UI
20 
© 2014 CA. ALL RIGHTS RESERVED. 
Improved Management for Lower TCOAdministrative UI
21 
© 2014 CA. ALL RIGHTS RESERVED. 
Citrix NetScalerOverviewLeading Application Delivery Controller 
Available as a physical or virtual appliance,Citrix NetScaler is a comprehensive system deployed in front of application and database servers that combines high-speed load balancing and content switching with: 
Application acceleration 
Highly-efficient data compression 
Static and dynamic content caching 
SSL acceleration 
Application performance monitoring 
Robust application security 
Courtesy: Citrix Training Content 
B2B 
Performance 
Offload 
Security 
B2C 
•World-class L4- L7 load balancing 
•Intelligent service health monitoring 
•Caching 
•Compression 
•Connection pooling 
•Web 2.0 offload 
•SSL processing 
•Access Gateway SSL VPN 
•Application firewall 
Availability 
P2P 
App Expert Admin
22 
© 2014 CA. ALL RIGHTS RESERVED. 
Citrix NetScalerPlatforms 
NetScalerVPX: A virtual appliance 
NetScalerMPX Platform Models: Hardware appliance for scale 
NetScalerSDX: Platform for enterprise and cloud datacenters 
–Virtualized architecture, which effectively delivers multiple NetScaler instances running on a single NetScaler MPX appliance, with an advanced control plane for unified provisioning, monitoring and management for multi-tenant requirements 
–Can consolidate up to 80 independently-managed NetScaler instances with up to 120 Gbpsof overall performance 
–Provides complete isolation so that memory, CPU cycles and SSL capacity can be divided and definitively assigned to different NetScalerinstances 
Software and Hardware Appliances 
Courtesy: Citrix Training Content
23 
© 2014 CA. ALL RIGHTS RESERVED. 
CA Access Gateway for Citrix NetScaler SDX 
Virtual Appliance built on RedHatEnterprise Linux (RHEL) in Citrix-supported XVA format and deployed on NetScaler SDX platform 
All standard features of CA Access Gateway, which can be used after performing standard configurations (requires a configured CA Single Sign-On Policy Server) 
Can be dynamically provisioned and managed from Citrix NetScaler SDX administrative interface 
Creates a VM with installed CA Access Gateway instance (takes the install parameters from provisioning UI) 
Monitor performance 
Start, stop, reboot,upgrade, upgrade SDX tools etc. 
CA Single Sign-On integration use cases with Citrix NetScaler 10.5.x 
SAML-based SSO authentication between Citrix NetScaler and CA Single Sign-On 
Radius-based authentication from Citrix NetScaler through CA Single Sign-On 
Full range of CA Single Sign-On authentication as well as granular authorization capabilities available via integration 
CA Access Gateway for Citrix NetScaler SDX
Social Sign-On
25 
© 2014 CA. ALL RIGHTS RESERVED. 
Support for Social Sign-On Overview 
Simple new user registration increases sign up rate. 
Use consumer identity for initial customer acquisition and low risk transactions. 
Collecting identity and device attributes allows for personalized marketing. 
Seamless sign-on encourages registration and enables targeted marketing. 
Sign on with stronger credentials when needed for high value transactions.
26 
© 2014 CA. ALL RIGHTS RESERVED. 
Support for Social Sign-On Use Case 
User initiates a sign-on request using his social sign-on account (OAuth request). 
User is redirected to the selected remote authorization server and logs in. 
The OAuth flow is completed via the backchannel. 
If configured, user information is retrieved from the configured user information URL via the backchannel. 
Once authorized, the browser is redirected to the configured target page. 
If authorized but not found in the user store, JIT provisioning process can be launched (first time access/create account).
27 
© 2014 CA. ALL RIGHTS RESERVED. 
Support for Social Sign-On Requirements 
Pre-configured OAuthauthorization server support for: 
–Twitter (OAuth1.0a) 
–Facebook, Google, LinkedIn, Microsoft (OAuth2.0) 
–Many other OAuthIdentity Providers 
Client registration with the remote authorization server is required before creating partnership
28 
© 2014 CA. ALL RIGHTS RESERVED. 
Create the local OAuth client entity. 
Create or modify the remote entity of an authorization server. 
Create a partnership to configure single sign-on. 
Migrate an OAuth authentication scheme to OAuthPartnership. 
Support for Social Sign-OnConfiguration 
1 
1 
2 
1 
3 
1 
4
29 
© 2014 CA. ALL RIGHTS RESERVED. 
Support for Social Sign-OnCreate the local OAuthclient identity. 
Select the appropriate OAuth version for your partnership.
30 
© 2014 CA. ALL RIGHTS RESERVED. 
Support for Social Sign-onModify the remote entity of an authorization server.
31 
© 2014 CA. ALL RIGHTS RESERVED. 
Support for Social Sign-OnModify the remote entity of an authorization server. 
Google pre-configured remote entity
32 
© 2014 CA. ALL RIGHTS RESERVED. 
Support for Social Sign-OnCreate a partnership to configure single sign-on.
33 
© 2014 CA. ALL RIGHTS RESERVED. 
Support for Social Sign-OnCreate a partnership to configure single sign-on.
34 
© 2014 CA. ALL RIGHTS RESERVED. 
Support for Social Sign-OnCreate a partnership to configure single sign-on.
35 
© 2014 CA. ALL RIGHTS RESERVED. 
Support for Social Sign-OnCreate a partnership to configure single sign-on.
36 
© 2014 CA. ALL RIGHTS RESERVED. 
Support for Social Sign-OnMigrate to OAuthpartnership. 
Use both the OAuth authentication scheme and an OAuth partnership simultaneously. 
–Add the new redirect URL to the existing OAuth authentication scheme redirect URL. 
Use an OAuth partnership instead of the OAuth authentication scheme. 
–Update the existing redirect URL at the OAuth authorization server to the appropriate partnership redirect URL.
37 
© 2014 CA. ALL RIGHTS RESERVED. 
Lab 1: Social Sign-On 
IN THIS LABYOU WILL: 
Create an OAuthPartnership
38 
© 2014 CA. ALL RIGHTS RESERVED. 
Credential Handling ServiceOverview 
Simplified configuration for letting the end user choose the authentication provider 
Supports identity providers using federation partnerships 
Is deployed on the CA Access Gateway
39 
© 2014 CA. ALL RIGHTS RESERVED. 
Credential Handling Service Use Case 
Make several federated partnerships available for login. The credential handling service shows the partnerships in the group. 
–An unauthenticated user requests a resource protected by CA SSO and is presented with the choice of identity providers 
–The user selects an identity provider to authenticate with 
–The selected partnership is invoked and the user is redirected to the identity provider for login and back to CA SSO 
–When the user is identified by CA SSO the user is redirected back to the original target page 
–When the user is not found by CA SSO provisioning can occur
40 
© 2014 CA. ALL RIGHTS RESERVED. 
Credential Handling ServiceRequirements 
CA Access Gateway 
Partnership between CA SSO and the enterprise (CA SSO) where protected resources exist 
Partnership between CA SSO and identity providers
41 
© 2014 CA. ALL RIGHTS RESERVED. 
Configure partnerships to identity providers. 
Create an authentication method group. 
Configure a partnership to the enterprise. 
Credential Handling ServiceConfiguration 
1 
1 
2 
1 
3 
Optionally customize the credential selector page. 
1 
4
42 
© 2014 CA. ALL RIGHTS RESERVED. 
Credential Handling ServiceLogin Flow Detail (Registered User) 
An unauthenticated user invokes a partnership with CHS enabled. 
The user selects an identity provider and signs-on. The identity provider generates an access token and redirects the user to the federation system (relying party). 
The federation system (relying party) verifies the access token, disambiguates the user, and generates a session. 
The federation system (asserting party) generates an assertion and redirects the user to the enterprise (relying party). 
The enterprise (relying party) verifies the assertion and gives the user access to the federated resource.
43 
© 2014 CA. ALL RIGHTS RESERVED. 
Credential Handling ServiceCreate an authentication method group.
44 
© 2014 CA. ALL RIGHTS RESERVED. 
Credential Handling ServiceConfigure a partnership to the enterprise. 
Partnership based on one of these authentication protocols: 
–SAML 1.1 
–SAML 2.0 
–WS-Federation 
SSO 
–Authentication mode = Credential Selector 
–Define the base URL 
–Select the previously created Authentication Method Group 
Target Application 
–SAML1.1: Target 
–SAML 2.0 and WS-Federation: Relay State Overrides Target
45 
© 2014 CA. ALL RIGHTS RESERVED. 
Credential Handling ServiceCustomize the header or footer. 
<install_path>CAsecure-proxyTomcatwebappschsjsps 
Make a copy of the header.jspfile and name the new file header- custom.jsp. 
Make a copy of the footer.jspfile and name the new file footer- custom.jsp. 
Customize the new files as needed. 
Restart CA Access Gateway.
47 
© 2014 CA. ALL RIGHTS RESERVED. 
Lab 2: Credential Handling Service 
IN THIS LABYOU WILL: 
Create an Authentication Method Group 
Enable the Credential Handling Service
Open Format CookieAgentless-SSO
49 
© 2014 CA. ALL RIGHTS RESERVED. 
Open Format Cookie = “agentless” SSOOverview 
Standards-based cookie directly read by applications 
No agent or proxy installed betweenuser and web server 
–Lower cost method for accomplishing basic SSO 
–Web applications decrypt (optional) and consume the standard cookie 
–Adds flexible option to a customer’s CA SSO architecture 
For applications that have lower security requirements 
–No centralized auditing, CA SSO authorization or centralized session control 
Web Agent in the CA SSO architecture used for protection and cookie generation
50 
© 2014 CA. ALL RIGHTS RESERVED. 
Open Format Cookie Use Case 
When not possible/not convenient to deploy a Web Agent 
Less stringent security and session control over applications 
Generated in response to a successful authentication or authorization event
51 
© 2014 CA. ALL RIGHTS RESERVED. 
Open Format Cookie Configuration
Web ServicesSOAP and REST APIs
53 
© 2014 CA. ALL RIGHTS RESERVED. 
SOAP and REST APIsOverview 
Web service interfaces for authentication and authorization 
Deployed via CA Access Gateway 
Supports SOAP (wsdl) and REST (wadl) architectures 
http(s)://server:port/authazws/auth?wsdl 
http(s)://server:port/authazws/AuthRestService/application.wadl 
Lower cost method for integrating CA SSO services 
Adds flexible option to a customer’s CA SSO architecture
54 
© 2014 CA. ALL RIGHTS RESERVED. 
SOAP and REST APIsOverview 
Authn/Authzweb services provide following functionality: 
–login –Authenticates and returns session token (and optional identity token) 
–blogin–(Boolean login) authenticates and verifies whether login is successful and does not return session token 
–logout –Logs out the user or group of users 
–authorize -Returns an authorization status message and a refreshed session token
55 
© 2014 CA. ALL RIGHTS RESERVED. 
SOAP and REST APIs Use Case 
User accesses mobile gateway via smart phone. 
Mobile Gateway calls web service interface to authenticate user. 
Web service validates with CA SSO Policy Server. 
CA SSO validates/authorizes request. 
Web service provides validation/authorization status back to mobile gateway via session token. 
Mobile gateway requests content from web server. 
Content is returned to user. 
1 
4 
3 
5 
2 
6 
7 
7 
User 
Web Server 
Policy Server 
Secure Proxy 
Server 
Mobile Gateway
56 
© 2014 CA. ALL RIGHTS RESERVED. 
SOAP and REST APIsRequirements 
Determine and register a virtual host name (DNS entry, Hosts file). 
Protect the web services root URL.
57 
© 2014 CA. ALL RIGHTS RESERVED. 
SOAP and REST APIsRequirements 
One or more agents to protect target applications against which callers authenticate 
Realms, user directories, policies and responses that are required for authentication and authorization 
A client program to issue authn/authzrequest to the web service on behalf of another application (see KB article TEC592437Scenario: Working with the CA Single Sign-On Authentication and Authorization Web Services)
58 
© 2014 CA. ALL RIGHTS RESERVED. 
Create the ACO. 
Enable the web services. 
Configure the web services logs (optional). 
SOAP and REST APIsConfiguration 
1 
1 
2 
1 
3
59 
© 2014 CA. ALL RIGHTS RESERVED. 
SOAP and REST APIsCreate the ACO. 
Agentname 
EnableAuth/ EnableAz 
RequireAgentEnforcement
60 
© 2014 CA. ALL RIGHTS RESERVED. 
SOAP and REST APIsEnable the Web Services.
61 
© 2014 CA. ALL RIGHTS RESERVED. 
SOAP and REST APIsConfigure the Web Services logs. 
Open file sps_home/proxy-engine/conf/webservicesagent/ authaz-log4j.xml 
Un-comment the AuthAZ_ROLLINGappendertag: 
<appendername="AuthAZ_ROLLING" class="org.apache.log4j.DailyRollingFileAppender"> <paramname="File" value="logs/authazws.log"/> <layout class="org.apache.log4j.PatternLayout"> <paramname="ConversionPattern" value="%d %-5p [%c] -%m%n"/> </layout> </appender> 
Un-comment all occurrences of appender-ref for the tag: 
<appender-ref ref="AuthAZ_ROLLING"/> 
New log file sps_home/proxy-engine/logs/authazws.log
62 
© 2014 CA. ALL RIGHTS RESERVED. 
Lab 3: Web Services 
IN THIS LABYOU WILL: 
Enable the authentication and authorization Web Services
Enhanced Session Assurance with DeviceDNA
64 
© 2014 CA. ALL RIGHTS RESERVED. 
Enhanced Session Assurance With DeviceDNAOverview 
Improves upon existing authentication and session persistence capabilities 
Enhancement to the authentication service and the Policy Server to allow for association of DeviceDNA 
DeviceDNAis data unique to individual HTTP clients 
CA Access Gateway and session store required to support the DeviceDNAcollection
65 
© 2014 CA. ALL RIGHTS RESERVED. 
Enhanced Session Assurance With DeviceDNAUse Case 
Combats session hijacking/session replay 
Blocks the use of a stolen SMSESSION cookie 
Included with CA SSO deployment and license (no additional SKUs)
66 
© 2014 CA. ALL RIGHTS RESERVED. 
Enhanced Session Assurance With DeviceDNARequirements 
Policy Server r12.52 or greater 
–Installs necessary components silently 
CA Access Gateway r12.52 or greater 
Session store 
Agent configuration object used for CA Access Gateway configuration should have “.sac” in ignore extensions list
67 
© 2014 CA. ALL RIGHTS RESERVED. 
Enhanced Session Assurance With DeviceDNAConfiguration 
Review the limitations. 
Configure the CA Access Gateway. 
Create Enhanced Session Assurance endpoints. 
1 
1 
2 
1 
3 
Add endpoints to realms or applications. 
1 
4 
(Optional) Enable Enhanced Session Assurance on partnerships. 
1 
5
68 
© 2014 CA. ALL RIGHTS RESERVED. 
Enhanced Session Assurance With DeviceDNALimitations 
Web 2.0 clients 
Custom agents 
Clients that do not support JavaScript and cookies 
POST preservation 
Shared workstations 
Authentication/authorization web services 
Federation limitations 
–The SP side of a SAML 2.0 partnership. 
–HTTP-POST Authentication request bindings on the IDP side of a SAML 2.0 partnership.
69 
© 2014 CA. ALL RIGHTS RESERVED. 
Enhanced Session Assurance With DeviceDNAConfigure the CA Access Gateway environment. 
Enter the advanced authentication server encryption key (from the installation or upgrade) in all Policy Servers. 
Enable the encryption by configuring the JVM with the JSafeJCESecurity Provider. 
If multi-domain SSO is configured using a cookie provider Web Agent, the CA Access Gateway must be configured to run in the same domain as the cookie provider Web Agent.
70 
© 2014 CA. ALL RIGHTS RESERVED. 
Enhanced Session Assurance With DeviceDNACreate Enhanced Session Assurance endpoints. 
On the Global options, select create Session Assurance Endpoints.
71 
© 2014 CA. ALL RIGHTS RESERVED. 
Enhanced Session Assurance With DeviceDNACreate Enhanced Session Assurance endpoints.
72 
© 2014 CA. ALL RIGHTS RESERVED. 
Enhanced Session Assurance With DeviceDNAAdd endpoints to realms or applications. 
To protect resources in realms,add session assurance endpoint.
73 
© 2014 CA. ALL RIGHTS RESERVED. 
Enhanced Session Assurance With DeviceDNAEnable Enhanced Session Assurance on partnerships. 
Available on the following partnerships: 
–The IdP side of an SP to IdP partnership 
–The Producer side of a Consumer to Producer partnership 
–The AP side of an RP to AP partnership
74 
© 2014 CA. ALL RIGHTS RESERVED. 
Lab 4: Session Assurance 
IN THIS LABYOU WILL: 
Enable Enhanced Session Assurance with DeviceDNA
75 
© 2014 CA. ALL RIGHTS RESERVED. 
For More Information 
To learn more about Security, please visit: 
http://bit.ly/10WHYDm 
Insert appropriate screenshot and textoverlayfrom following“More Info Graphics” slide here; ensure it links to correct page 
Security
76 
© 2014 CA. ALL RIGHTS RESERVED. 
For Informational Purposes Only 
© 2014CA. All rights reserved. All trademarks referenced herein belong to their respective companies. 
This presentation provided at CA World 2014 is intended for information purposes only and does not form any type of warranty. Some of the specific slides with customer references relate to customer's specific use and experience of CA products and solutionssoactual results may vary. 
Terms of this Presentation

More Related Content

What's hot

Gartner IAM London 2017 Session - Security, Standards & User Experience: The ...
Gartner IAM London 2017 Session - Security, Standards & User Experience: The ...Gartner IAM London 2017 Session - Security, Standards & User Experience: The ...
Gartner IAM London 2017 Session - Security, Standards & User Experience: The ...Ping Identity
 
DevOps & Apps - Building and Operating Successful Mobile Apps
DevOps & Apps - Building and Operating Successful Mobile AppsDevOps & Apps - Building and Operating Successful Mobile Apps
DevOps & Apps - Building and Operating Successful Mobile AppsApigee | Google Cloud
 
CIS13: Bootcamp: PingOne as a Simple Identity Service
CIS13: Bootcamp: PingOne as a Simple Identity ServiceCIS13: Bootcamp: PingOne as a Simple Identity Service
CIS13: Bootcamp: PingOne as a Simple Identity ServiceCloudIDSummit
 
OAuth 101 & Secure APIs 2012 Cloud Identity Summit
OAuth 101 & Secure APIs 2012 Cloud Identity SummitOAuth 101 & Secure APIs 2012 Cloud Identity Summit
OAuth 101 & Secure APIs 2012 Cloud Identity SummitBrian Campbell
 
PingOne IDaaS: What You Need to Know
PingOne IDaaS: What You Need to KnowPingOne IDaaS: What You Need to Know
PingOne IDaaS: What You Need to KnowCloudIDSummit
 
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...Ping Identity
 
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityFederation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityCA API Management
 
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCloudIDSummit
 
Webinar: Deep Diving Into the KuppingerCole IDaaS Leadership Compass
Webinar: Deep Diving Into the KuppingerCole IDaaS Leadership Compass Webinar: Deep Diving Into the KuppingerCole IDaaS Leadership Compass
Webinar: Deep Diving Into the KuppingerCole IDaaS Leadership Compass Ping Identity
 
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015  Session Management at Scale - Scott Tomilson & Jamshid KhosravianCIS 2015  Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid KhosravianCloudIDSummit
 
Overview of Oracle Identity Management - Customer Presentation
Overview of Oracle Identity Management - Customer PresentationOverview of Oracle Identity Management - Customer Presentation
Overview of Oracle Identity Management - Customer PresentationDelivery Centric
 
CON8040 Identity as a Service - Extend Enterprise Controls and Identity to th...
CON8040 Identity as a Service - Extend Enterprise Controls and Identity to th...CON8040 Identity as a Service - Extend Enterprise Controls and Identity to th...
CON8040 Identity as a Service - Extend Enterprise Controls and Identity to th...oow123
 
Identiverse 2021 enterprise identity: What foundations
Identiverse 2021 enterprise identity: What foundationsIdentiverse 2021 enterprise identity: What foundations
Identiverse 2021 enterprise identity: What foundationsBertrand Carlier
 
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...CA API Management
 
Con8823 access management for the internet of things-final
Con8823   access management for the internet of things-finalCon8823   access management for the internet of things-final
Con8823 access management for the internet of things-finalOracleIDM
 
How to integration DataPower with Zos
How to integration DataPower with ZosHow to integration DataPower with Zos
How to integration DataPower with ZosShiu-Fun Poon
 
Webinar: Three Steps to Transform Your Mobile App into a Security Factor
Webinar: Three Steps to Transform Your Mobile App into a Security FactorWebinar: Three Steps to Transform Your Mobile App into a Security Factor
Webinar: Three Steps to Transform Your Mobile App into a Security FactorPing Identity
 
User manual of i vms 4200-v2.3.1_20150415
User manual of i vms 4200-v2.3.1_20150415User manual of i vms 4200-v2.3.1_20150415
User manual of i vms 4200-v2.3.1_20150415IsraelGuillen12
 
APIConnect Security Best Practice
APIConnect Security Best PracticeAPIConnect Security Best Practice
APIConnect Security Best PracticeShiu-Fun Poon
 
Identiverse - Microservices Security
Identiverse - Microservices SecurityIdentiverse - Microservices Security
Identiverse - Microservices SecurityBertrand Carlier
 

What's hot (20)

Gartner IAM London 2017 Session - Security, Standards & User Experience: The ...
Gartner IAM London 2017 Session - Security, Standards & User Experience: The ...Gartner IAM London 2017 Session - Security, Standards & User Experience: The ...
Gartner IAM London 2017 Session - Security, Standards & User Experience: The ...
 
DevOps & Apps - Building and Operating Successful Mobile Apps
DevOps & Apps - Building and Operating Successful Mobile AppsDevOps & Apps - Building and Operating Successful Mobile Apps
DevOps & Apps - Building and Operating Successful Mobile Apps
 
CIS13: Bootcamp: PingOne as a Simple Identity Service
CIS13: Bootcamp: PingOne as a Simple Identity ServiceCIS13: Bootcamp: PingOne as a Simple Identity Service
CIS13: Bootcamp: PingOne as a Simple Identity Service
 
OAuth 101 & Secure APIs 2012 Cloud Identity Summit
OAuth 101 & Secure APIs 2012 Cloud Identity SummitOAuth 101 & Secure APIs 2012 Cloud Identity Summit
OAuth 101 & Secure APIs 2012 Cloud Identity Summit
 
PingOne IDaaS: What You Need to Know
PingOne IDaaS: What You Need to KnowPingOne IDaaS: What You Need to Know
PingOne IDaaS: What You Need to Know
 
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...
Hybrid IAM: Fuelling Agility in the Cloud Transformation Journey | Gartner IA...
 
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker IdentityFederation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
Federation Evolved: How Cloud, Mobile & APIs Change the Way We Broker Identity
 
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish JainCIS 2015 SSO for Mobile and Web Apps Ashish Jain
CIS 2015 SSO for Mobile and Web Apps Ashish Jain
 
Webinar: Deep Diving Into the KuppingerCole IDaaS Leadership Compass
Webinar: Deep Diving Into the KuppingerCole IDaaS Leadership Compass Webinar: Deep Diving Into the KuppingerCole IDaaS Leadership Compass
Webinar: Deep Diving Into the KuppingerCole IDaaS Leadership Compass
 
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015  Session Management at Scale - Scott Tomilson & Jamshid KhosravianCIS 2015  Session Management at Scale - Scott Tomilson & Jamshid Khosravian
CIS 2015 Session Management at Scale - Scott Tomilson & Jamshid Khosravian
 
Overview of Oracle Identity Management - Customer Presentation
Overview of Oracle Identity Management - Customer PresentationOverview of Oracle Identity Management - Customer Presentation
Overview of Oracle Identity Management - Customer Presentation
 
CON8040 Identity as a Service - Extend Enterprise Controls and Identity to th...
CON8040 Identity as a Service - Extend Enterprise Controls and Identity to th...CON8040 Identity as a Service - Extend Enterprise Controls and Identity to th...
CON8040 Identity as a Service - Extend Enterprise Controls and Identity to th...
 
Identiverse 2021 enterprise identity: What foundations
Identiverse 2021 enterprise identity: What foundationsIdentiverse 2021 enterprise identity: What foundations
Identiverse 2021 enterprise identity: What foundations
 
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
 
Con8823 access management for the internet of things-final
Con8823   access management for the internet of things-finalCon8823   access management for the internet of things-final
Con8823 access management for the internet of things-final
 
How to integration DataPower with Zos
How to integration DataPower with ZosHow to integration DataPower with Zos
How to integration DataPower with Zos
 
Webinar: Three Steps to Transform Your Mobile App into a Security Factor
Webinar: Three Steps to Transform Your Mobile App into a Security FactorWebinar: Three Steps to Transform Your Mobile App into a Security Factor
Webinar: Three Steps to Transform Your Mobile App into a Security Factor
 
User manual of i vms 4200-v2.3.1_20150415
User manual of i vms 4200-v2.3.1_20150415User manual of i vms 4200-v2.3.1_20150415
User manual of i vms 4200-v2.3.1_20150415
 
APIConnect Security Best Practice
APIConnect Security Best PracticeAPIConnect Security Best Practice
APIConnect Security Best Practice
 
Identiverse - Microservices Security
Identiverse - Microservices SecurityIdentiverse - Microservices Security
Identiverse - Microservices Security
 

Similar to Leveraging New Features in CA Single Sign-On

Microsoft Windows Azure Platform Appfabric for Technical Decision Makers
Microsoft Windows Azure Platform Appfabric for Technical Decision MakersMicrosoft Windows Azure Platform Appfabric for Technical Decision Makers
Microsoft Windows Azure Platform Appfabric for Technical Decision MakersMicrosoft Private Cloud
 
OAuth in the Real World featuring Webshell
OAuth in the Real World featuring WebshellOAuth in the Real World featuring Webshell
OAuth in the Real World featuring WebshellCA API Management
 
CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0
CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0
CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0Krishna-Kumar
 
Privileged Access Management for the Software-Defined Network
Privileged Access Management for the Software-Defined NetworkPrivileged Access Management for the Software-Defined Network
Privileged Access Management for the Software-Defined NetworkCA Technologies
 
2014 q3-platform-update-v1.06.johnmathon
2014 q3-platform-update-v1.06.johnmathon2014 q3-platform-update-v1.06.johnmathon
2014 q3-platform-update-v1.06.johnmathonaaronwso2
 
What's New in CA Service Virtualization 8.0 - CA World Pre-Conference Session
What's New in CA Service Virtualization 8.0 - CA World Pre-Conference SessionWhat's New in CA Service Virtualization 8.0 - CA World Pre-Conference Session
What's New in CA Service Virtualization 8.0 - CA World Pre-Conference SessionStefana Muller
 
Whats new in data power
Whats new in data powerWhats new in data power
Whats new in data powersflynn073
 
Virtualization Vs. Containers
Virtualization Vs. ContainersVirtualization Vs. Containers
Virtualization Vs. Containersactualtechmedia
 
Gain Insights, Make Decisions, and Take Action Across a Streamlined and Autom...
Gain Insights, Make Decisions, and Take Action Across a Streamlined and Autom...Gain Insights, Make Decisions, and Take Action Across a Streamlined and Autom...
Gain Insights, Make Decisions, and Take Action Across a Streamlined and Autom...Arraya Solutions
 
ForgeRock Platform Release - Summer 2016
ForgeRock Platform Release - Summer 2016  ForgeRock Platform Release - Summer 2016
ForgeRock Platform Release - Summer 2016 ForgeRock
 
CA API Gateway: Web API and Application Security
CA API Gateway: Web API and Application SecurityCA API Gateway: Web API and Application Security
CA API Gateway: Web API and Application SecurityCA Technologies
 
Oracle Blockchain Platform
Oracle Blockchain PlatformOracle Blockchain Platform
Oracle Blockchain PlatformJuarez Junior
 
Windows Azure AppFabric
Windows Azure AppFabricWindows Azure AppFabric
Windows Azure AppFabricDavid Chou
 
Plan, Deploy & Manage Modern Applications Leveraging vCloud Automation Center...
Plan, Deploy & Manage Modern Applications Leveraging vCloud Automation Center...Plan, Deploy & Manage Modern Applications Leveraging vCloud Automation Center...
Plan, Deploy & Manage Modern Applications Leveraging vCloud Automation Center...Puppet
 
Smart software-manager-satellite-enhanced-edition-datasheet
Smart software-manager-satellite-enhanced-edition-datasheetSmart software-manager-satellite-enhanced-edition-datasheet
Smart software-manager-satellite-enhanced-edition-datasheetWattson Alexander Ramírez Rodas
 
CA API Management: A DevOps Enabler
CA API Management: A DevOps EnablerCA API Management: A DevOps Enabler
CA API Management: A DevOps EnablerRajat Vijayvargiya
 
Service Provider Architectures for Tomorrow by Chow Khay Kid
Service Provider Architectures for Tomorrow by Chow Khay KidService Provider Architectures for Tomorrow by Chow Khay Kid
Service Provider Architectures for Tomorrow by Chow Khay KidMyNOG
 
Api management update for optus
Api management update for optusApi management update for optus
Api management update for optussflynn073
 
Cloud 12 08 V2
Cloud 12 08 V2Cloud 12 08 V2
Cloud 12 08 V2Pini Cohen
 

Similar to Leveraging New Features in CA Single Sign-On (20)

Unlocking the Cloud Operating Model
Unlocking the Cloud Operating ModelUnlocking the Cloud Operating Model
Unlocking the Cloud Operating Model
 
Microsoft Windows Azure Platform Appfabric for Technical Decision Makers
Microsoft Windows Azure Platform Appfabric for Technical Decision MakersMicrosoft Windows Azure Platform Appfabric for Technical Decision Makers
Microsoft Windows Azure Platform Appfabric for Technical Decision Makers
 
OAuth in the Real World featuring Webshell
OAuth in the Real World featuring WebshellOAuth in the Real World featuring Webshell
OAuth in the Real World featuring Webshell
 
CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0
CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0
CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0
 
Privileged Access Management for the Software-Defined Network
Privileged Access Management for the Software-Defined NetworkPrivileged Access Management for the Software-Defined Network
Privileged Access Management for the Software-Defined Network
 
2014 q3-platform-update-v1.06.johnmathon
2014 q3-platform-update-v1.06.johnmathon2014 q3-platform-update-v1.06.johnmathon
2014 q3-platform-update-v1.06.johnmathon
 
What's New in CA Service Virtualization 8.0 - CA World Pre-Conference Session
What's New in CA Service Virtualization 8.0 - CA World Pre-Conference SessionWhat's New in CA Service Virtualization 8.0 - CA World Pre-Conference Session
What's New in CA Service Virtualization 8.0 - CA World Pre-Conference Session
 
Whats new in data power
Whats new in data powerWhats new in data power
Whats new in data power
 
Virtualization Vs. Containers
Virtualization Vs. ContainersVirtualization Vs. Containers
Virtualization Vs. Containers
 
Gain Insights, Make Decisions, and Take Action Across a Streamlined and Autom...
Gain Insights, Make Decisions, and Take Action Across a Streamlined and Autom...Gain Insights, Make Decisions, and Take Action Across a Streamlined and Autom...
Gain Insights, Make Decisions, and Take Action Across a Streamlined and Autom...
 
ForgeRock Platform Release - Summer 2016
ForgeRock Platform Release - Summer 2016  ForgeRock Platform Release - Summer 2016
ForgeRock Platform Release - Summer 2016
 
CA API Gateway: Web API and Application Security
CA API Gateway: Web API and Application SecurityCA API Gateway: Web API and Application Security
CA API Gateway: Web API and Application Security
 
Oracle Blockchain Platform
Oracle Blockchain PlatformOracle Blockchain Platform
Oracle Blockchain Platform
 
Windows Azure AppFabric
Windows Azure AppFabricWindows Azure AppFabric
Windows Azure AppFabric
 
Plan, Deploy & Manage Modern Applications Leveraging vCloud Automation Center...
Plan, Deploy & Manage Modern Applications Leveraging vCloud Automation Center...Plan, Deploy & Manage Modern Applications Leveraging vCloud Automation Center...
Plan, Deploy & Manage Modern Applications Leveraging vCloud Automation Center...
 
Smart software-manager-satellite-enhanced-edition-datasheet
Smart software-manager-satellite-enhanced-edition-datasheetSmart software-manager-satellite-enhanced-edition-datasheet
Smart software-manager-satellite-enhanced-edition-datasheet
 
CA API Management: A DevOps Enabler
CA API Management: A DevOps EnablerCA API Management: A DevOps Enabler
CA API Management: A DevOps Enabler
 
Service Provider Architectures for Tomorrow by Chow Khay Kid
Service Provider Architectures for Tomorrow by Chow Khay KidService Provider Architectures for Tomorrow by Chow Khay Kid
Service Provider Architectures for Tomorrow by Chow Khay Kid
 
Api management update for optus
Api management update for optusApi management update for optus
Api management update for optus
 
Cloud 12 08 V2
Cloud 12 08 V2Cloud 12 08 V2
Cloud 12 08 V2
 

More from CA Technologies

CA Mainframe Resource Intelligence
CA Mainframe Resource IntelligenceCA Mainframe Resource Intelligence
CA Mainframe Resource IntelligenceCA Technologies
 
Mainframe as a Service: Sample a Buffet of IBM z/OS® Platform Excellence
Mainframe as a Service: Sample a Buffet of IBM z/OS® Platform ExcellenceMainframe as a Service: Sample a Buffet of IBM z/OS® Platform Excellence
Mainframe as a Service: Sample a Buffet of IBM z/OS® Platform ExcellenceCA Technologies
 
Case Study: How CA Went From 40 Days to Three Days Building Crystal-Clear Tes...
Case Study: How CA Went From 40 Days to Three Days Building Crystal-Clear Tes...Case Study: How CA Went From 40 Days to Three Days Building Crystal-Clear Tes...
Case Study: How CA Went From 40 Days to Three Days Building Crystal-Clear Tes...CA Technologies
 
Case Study: How The Home Depot Built Quality Into Software Development
Case Study: How The Home Depot Built Quality Into Software DevelopmentCase Study: How The Home Depot Built Quality Into Software Development
Case Study: How The Home Depot Built Quality Into Software DevelopmentCA Technologies
 
Pre-Con Ed: Privileged Identity Governance: Are You Certifying Privileged Use...
Pre-Con Ed: Privileged Identity Governance: Are You Certifying Privileged Use...Pre-Con Ed: Privileged Identity Governance: Are You Certifying Privileged Use...
Pre-Con Ed: Privileged Identity Governance: Are You Certifying Privileged Use...CA Technologies
 
Case Study: Privileged Access in a World on Time
Case Study: Privileged Access in a World on TimeCase Study: Privileged Access in a World on Time
Case Study: Privileged Access in a World on TimeCA Technologies
 
Case Study: How SGN Used Attack Path Mapping to Control Privileged Access in ...
Case Study: How SGN Used Attack Path Mapping to Control Privileged Access in ...Case Study: How SGN Used Attack Path Mapping to Control Privileged Access in ...
Case Study: How SGN Used Attack Path Mapping to Control Privileged Access in ...CA Technologies
 
Case Study: Putting Citizens at The Center of Digital Government
Case Study: Putting Citizens at The Center of Digital GovernmentCase Study: Putting Citizens at The Center of Digital Government
Case Study: Putting Citizens at The Center of Digital GovernmentCA Technologies
 
Making Security Work—Implementing a Transformational Security Program
Making Security Work—Implementing a Transformational Security ProgramMaking Security Work—Implementing a Transformational Security Program
Making Security Work—Implementing a Transformational Security ProgramCA Technologies
 
Keynote: Making Security a Competitive Advantage
Keynote: Making Security a Competitive AdvantageKeynote: Making Security a Competitive Advantage
Keynote: Making Security a Competitive AdvantageCA Technologies
 
Emerging Managed Services Opportunities in Identity and Access Management
Emerging Managed Services Opportunities in Identity and Access ManagementEmerging Managed Services Opportunities in Identity and Access Management
Emerging Managed Services Opportunities in Identity and Access ManagementCA Technologies
 
The Unmet Demand for Premium Cloud Monitoring Services—and How Service Provid...
The Unmet Demand for Premium Cloud Monitoring Services—and How Service Provid...The Unmet Demand for Premium Cloud Monitoring Services—and How Service Provid...
The Unmet Demand for Premium Cloud Monitoring Services—and How Service Provid...CA Technologies
 
Leveraging Monitoring Governance: How Service Providers Can Boost Operational...
Leveraging Monitoring Governance: How Service Providers Can Boost Operational...Leveraging Monitoring Governance: How Service Providers Can Boost Operational...
Leveraging Monitoring Governance: How Service Providers Can Boost Operational...CA Technologies
 
The Next Big Service Provider Opportunity—Beyond Infrastructure: Architecting...
The Next Big Service Provider Opportunity—Beyond Infrastructure: Architecting...The Next Big Service Provider Opportunity—Beyond Infrastructure: Architecting...
The Next Big Service Provider Opportunity—Beyond Infrastructure: Architecting...CA Technologies
 
Application Experience Analytics Services: The Strategic Digital Transformati...
Application Experience Analytics Services: The Strategic Digital Transformati...Application Experience Analytics Services: The Strategic Digital Transformati...
Application Experience Analytics Services: The Strategic Digital Transformati...CA Technologies
 
Application Experience Analytics Services: The Strategic Digital Transformati...
Application Experience Analytics Services: The Strategic Digital Transformati...Application Experience Analytics Services: The Strategic Digital Transformati...
Application Experience Analytics Services: The Strategic Digital Transformati...CA Technologies
 
Strategic Direction Session: Deliver Next-Gen IT Ops with CA Mainframe Operat...
Strategic Direction Session: Deliver Next-Gen IT Ops with CA Mainframe Operat...Strategic Direction Session: Deliver Next-Gen IT Ops with CA Mainframe Operat...
Strategic Direction Session: Deliver Next-Gen IT Ops with CA Mainframe Operat...CA Technologies
 
Strategic Direction Session: Enhancing Data Privacy with Data-Centric Securit...
Strategic Direction Session: Enhancing Data Privacy with Data-Centric Securit...Strategic Direction Session: Enhancing Data Privacy with Data-Centric Securit...
Strategic Direction Session: Enhancing Data Privacy with Data-Centric Securit...CA Technologies
 
Blockchain: Strategies for Moving From Hype to Realities of Deployment
Blockchain: Strategies for Moving From Hype to Realities of DeploymentBlockchain: Strategies for Moving From Hype to Realities of Deployment
Blockchain: Strategies for Moving From Hype to Realities of DeploymentCA Technologies
 
Establish Digital Trust as the Currency of Digital Enterprise
Establish Digital Trust as the Currency of Digital EnterpriseEstablish Digital Trust as the Currency of Digital Enterprise
Establish Digital Trust as the Currency of Digital EnterpriseCA Technologies
 

More from CA Technologies (20)

CA Mainframe Resource Intelligence
CA Mainframe Resource IntelligenceCA Mainframe Resource Intelligence
CA Mainframe Resource Intelligence
 
Mainframe as a Service: Sample a Buffet of IBM z/OS® Platform Excellence
Mainframe as a Service: Sample a Buffet of IBM z/OS® Platform ExcellenceMainframe as a Service: Sample a Buffet of IBM z/OS® Platform Excellence
Mainframe as a Service: Sample a Buffet of IBM z/OS® Platform Excellence
 
Case Study: How CA Went From 40 Days to Three Days Building Crystal-Clear Tes...
Case Study: How CA Went From 40 Days to Three Days Building Crystal-Clear Tes...Case Study: How CA Went From 40 Days to Three Days Building Crystal-Clear Tes...
Case Study: How CA Went From 40 Days to Three Days Building Crystal-Clear Tes...
 
Case Study: How The Home Depot Built Quality Into Software Development
Case Study: How The Home Depot Built Quality Into Software DevelopmentCase Study: How The Home Depot Built Quality Into Software Development
Case Study: How The Home Depot Built Quality Into Software Development
 
Pre-Con Ed: Privileged Identity Governance: Are You Certifying Privileged Use...
Pre-Con Ed: Privileged Identity Governance: Are You Certifying Privileged Use...Pre-Con Ed: Privileged Identity Governance: Are You Certifying Privileged Use...
Pre-Con Ed: Privileged Identity Governance: Are You Certifying Privileged Use...
 
Case Study: Privileged Access in a World on Time
Case Study: Privileged Access in a World on TimeCase Study: Privileged Access in a World on Time
Case Study: Privileged Access in a World on Time
 
Case Study: How SGN Used Attack Path Mapping to Control Privileged Access in ...
Case Study: How SGN Used Attack Path Mapping to Control Privileged Access in ...Case Study: How SGN Used Attack Path Mapping to Control Privileged Access in ...
Case Study: How SGN Used Attack Path Mapping to Control Privileged Access in ...
 
Case Study: Putting Citizens at The Center of Digital Government
Case Study: Putting Citizens at The Center of Digital GovernmentCase Study: Putting Citizens at The Center of Digital Government
Case Study: Putting Citizens at The Center of Digital Government
 
Making Security Work—Implementing a Transformational Security Program
Making Security Work—Implementing a Transformational Security ProgramMaking Security Work—Implementing a Transformational Security Program
Making Security Work—Implementing a Transformational Security Program
 
Keynote: Making Security a Competitive Advantage
Keynote: Making Security a Competitive AdvantageKeynote: Making Security a Competitive Advantage
Keynote: Making Security a Competitive Advantage
 
Emerging Managed Services Opportunities in Identity and Access Management
Emerging Managed Services Opportunities in Identity and Access ManagementEmerging Managed Services Opportunities in Identity and Access Management
Emerging Managed Services Opportunities in Identity and Access Management
 
The Unmet Demand for Premium Cloud Monitoring Services—and How Service Provid...
The Unmet Demand for Premium Cloud Monitoring Services—and How Service Provid...The Unmet Demand for Premium Cloud Monitoring Services—and How Service Provid...
The Unmet Demand for Premium Cloud Monitoring Services—and How Service Provid...
 
Leveraging Monitoring Governance: How Service Providers Can Boost Operational...
Leveraging Monitoring Governance: How Service Providers Can Boost Operational...Leveraging Monitoring Governance: How Service Providers Can Boost Operational...
Leveraging Monitoring Governance: How Service Providers Can Boost Operational...
 
The Next Big Service Provider Opportunity—Beyond Infrastructure: Architecting...
The Next Big Service Provider Opportunity—Beyond Infrastructure: Architecting...The Next Big Service Provider Opportunity—Beyond Infrastructure: Architecting...
The Next Big Service Provider Opportunity—Beyond Infrastructure: Architecting...
 
Application Experience Analytics Services: The Strategic Digital Transformati...
Application Experience Analytics Services: The Strategic Digital Transformati...Application Experience Analytics Services: The Strategic Digital Transformati...
Application Experience Analytics Services: The Strategic Digital Transformati...
 
Application Experience Analytics Services: The Strategic Digital Transformati...
Application Experience Analytics Services: The Strategic Digital Transformati...Application Experience Analytics Services: The Strategic Digital Transformati...
Application Experience Analytics Services: The Strategic Digital Transformati...
 
Strategic Direction Session: Deliver Next-Gen IT Ops with CA Mainframe Operat...
Strategic Direction Session: Deliver Next-Gen IT Ops with CA Mainframe Operat...Strategic Direction Session: Deliver Next-Gen IT Ops with CA Mainframe Operat...
Strategic Direction Session: Deliver Next-Gen IT Ops with CA Mainframe Operat...
 
Strategic Direction Session: Enhancing Data Privacy with Data-Centric Securit...
Strategic Direction Session: Enhancing Data Privacy with Data-Centric Securit...Strategic Direction Session: Enhancing Data Privacy with Data-Centric Securit...
Strategic Direction Session: Enhancing Data Privacy with Data-Centric Securit...
 
Blockchain: Strategies for Moving From Hype to Realities of Deployment
Blockchain: Strategies for Moving From Hype to Realities of DeploymentBlockchain: Strategies for Moving From Hype to Realities of Deployment
Blockchain: Strategies for Moving From Hype to Realities of Deployment
 
Establish Digital Trust as the Currency of Digital Enterprise
Establish Digital Trust as the Currency of Digital EnterpriseEstablish Digital Trust as the Currency of Digital Enterprise
Establish Digital Trust as the Currency of Digital Enterprise
 

Recently uploaded

Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
QMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdfQMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdfROWELL MARQUINA
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...panagenda
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
Kuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialKuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialJoão Esperancinha
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsYoss Cohen
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessWSO2
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
WomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyoneWomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyoneUiPathCommunity
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 

Recently uploaded (20)

Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
QMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdfQMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdf
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
Kuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialKuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorial
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platforms
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with Platformless
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
How Tech Giants Cut Corners to Harvest Data for A.I.
How Tech Giants Cut Corners to Harvest Data for A.I.How Tech Giants Cut Corners to Harvest Data for A.I.
How Tech Giants Cut Corners to Harvest Data for A.I.
 
WomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyoneWomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyone
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 

Leveraging New Features in CA Single Sign-On

  • 1. ca Securecenter Leveraging New Features in CA Single Sign-On to Enable Web Services, Social Sign–On and Enhanced Session Security Tim Hobbs, Advisor SCX19E #CAWorld Product Management CA Technologies *formerly CA SiteMinder
  • 2. 2 © 2014 CA. ALL RIGHTS RESERVED. Abstract CA Single Sign-On (CA SSO) is constantly evolving, incorporating the latest technologies in secure web access management. In order to stay secure and competitive, CA SSO makes greater use of the CA Access Gateway (formerly CA SiteMinder® Secure Proxy Server). Tim Hobbs CA Technologies Advisor, Product Management
  • 3. 3 © 2014 CA. ALL RIGHTS RESERVED. Agenda USING THE CA ACCESS GATEWAY SOCIAL SIGN-ON OPEN FORMAT COOKIE WEB SERVICES (SOAP AND REST API) ENHANCED SESSION ASSURANCE WITH DEVICEDNA™ 1 2 3 4 5
  • 4. CA Access Gateway *formerly CA SiteMinder® Secure Proxy Server
  • 5. 5 © 2014 CA. ALL RIGHTS RESERVED. CA Access Gateway Overview Browser Web Server with CA SSO Agent CA SSO Policy Server Agent Focused User Directories CA SSO Policy Store
  • 6. 6 © 2014 CA. ALL RIGHTS RESERVED. CA Access Gateway Overview Browser CA Access Gateway CA SSO Policy Server Web Servers Proxy Focused Web Services APIs User Directories CA SSO Policy Store
  • 7. 7 © 2014 CA. ALL RIGHTS RESERVED. CA Access Gateway Overview Any (and multiple) back-end web servers Login, federation, password service pages Session management options for mobile devices Significantly reduces the TCO Users •Employees •Mobile employees •Partners •Customers CA Access Gateway DestinationServers CA SSO Policy Server
  • 8. 8 © 2014 CA. ALL RIGHTS RESERVED. CA Access Gateway Product Features Access control for HTTP and HTTPS requests Single sign-on Multiple session schemes Session storage Cookie-less single sign-on Intelligent proxy rules Centralized access control management Enterprise class architecture
  • 9. 9 © 2014 CA. ALL RIGHTS RESERVED. Expanded Support For SSO And Access ManagementOverview Feature Description WebDAV CAAccess Gatewaycan control access to content that is accessed via the WebDAV protocol that is an extension of HTTP Session Linker For securing single sign-on to ERP environments Supportfor ASAs CA Access Gateway can be used in place of a CA Single Sign-On Web Agent as the web tier in front of a CA Single Sign-On ASA agent IntegratedWindows Authentication Supportfor IWA to access applications on servers behind CA Access Gateway Enhanced proxy rules Enhanced rules to support new conditions based on cookie existence, cookie value, and header existence
  • 10. 10 © 2014 CA. ALL RIGHTS RESERVED. Proxy Rules Overview Forward requests based on: URI Virtual host name Header values (standard or created by CA SSO response) Device type File extension Cookie existence/cookie value Regular expressions and nested conditions in proxy rules
  • 11. 11 © 2014 CA. ALL RIGHTS RESERVED. Proxy RulesUse Case
  • 12. 12 © 2014 CA. ALL RIGHTS RESERVED. Proxy RulesExample
  • 13. 13 © 2014 CA. ALL RIGHTS RESERVED. Improved Management For Lower TCOOverview Feature Description Manage multiple instances Canconfigure multiple CA Access Gateway hosts at the same time Multiple instances on single hardware platform Making it possible to separate user groups or application access across CA Access Gateway instances without increasing hardware costs CA Application Performance Management* support CA Access Gateway has beeninstrumented to provide performance data to the application performance tool Agentdiscovery CA Access Gateway instances are uniquely identified in the CA Single Sign-On agent discovery administrative UI for ease of management Administrative UI for configuration Administrative UI for configuring proxy rules, virtual hosts, proxy service settings, session store and session scheme settings, federation settings *formerly CA Wily Introscope®
  • 14. 14 © 2014 CA. ALL RIGHTS RESERVED. Improved Management for Lower TCOAdministrative UI
  • 15. 15 © 2014 CA. ALL RIGHTS RESERVED. Capabilities introduced with SPS r12.5 Improved Management for Lower TCOAdministrative UI
  • 16. 16 © 2014 CA. ALL RIGHTS RESERVED. Improved Management for Lower TCOAdministrative UI
  • 17. 17 © 2014 CA. ALL RIGHTS RESERVED. Improved Management for Lower TCOAdministrative UI
  • 18. 18 © 2014 CA. ALL RIGHTS RESERVED. Improved Management for Lower TCOAdministrative UI
  • 19. 19 © 2014 CA. ALL RIGHTS RESERVED. Improved Management for Lower TCOAdministrative UI
  • 20. 20 © 2014 CA. ALL RIGHTS RESERVED. Improved Management for Lower TCOAdministrative UI
  • 21. 21 © 2014 CA. ALL RIGHTS RESERVED. Citrix NetScalerOverviewLeading Application Delivery Controller Available as a physical or virtual appliance,Citrix NetScaler is a comprehensive system deployed in front of application and database servers that combines high-speed load balancing and content switching with: Application acceleration Highly-efficient data compression Static and dynamic content caching SSL acceleration Application performance monitoring Robust application security Courtesy: Citrix Training Content B2B Performance Offload Security B2C •World-class L4- L7 load balancing •Intelligent service health monitoring •Caching •Compression •Connection pooling •Web 2.0 offload •SSL processing •Access Gateway SSL VPN •Application firewall Availability P2P App Expert Admin
  • 22. 22 © 2014 CA. ALL RIGHTS RESERVED. Citrix NetScalerPlatforms NetScalerVPX: A virtual appliance NetScalerMPX Platform Models: Hardware appliance for scale NetScalerSDX: Platform for enterprise and cloud datacenters –Virtualized architecture, which effectively delivers multiple NetScaler instances running on a single NetScaler MPX appliance, with an advanced control plane for unified provisioning, monitoring and management for multi-tenant requirements –Can consolidate up to 80 independently-managed NetScaler instances with up to 120 Gbpsof overall performance –Provides complete isolation so that memory, CPU cycles and SSL capacity can be divided and definitively assigned to different NetScalerinstances Software and Hardware Appliances Courtesy: Citrix Training Content
  • 23. 23 © 2014 CA. ALL RIGHTS RESERVED. CA Access Gateway for Citrix NetScaler SDX Virtual Appliance built on RedHatEnterprise Linux (RHEL) in Citrix-supported XVA format and deployed on NetScaler SDX platform All standard features of CA Access Gateway, which can be used after performing standard configurations (requires a configured CA Single Sign-On Policy Server) Can be dynamically provisioned and managed from Citrix NetScaler SDX administrative interface Creates a VM with installed CA Access Gateway instance (takes the install parameters from provisioning UI) Monitor performance Start, stop, reboot,upgrade, upgrade SDX tools etc. CA Single Sign-On integration use cases with Citrix NetScaler 10.5.x SAML-based SSO authentication between Citrix NetScaler and CA Single Sign-On Radius-based authentication from Citrix NetScaler through CA Single Sign-On Full range of CA Single Sign-On authentication as well as granular authorization capabilities available via integration CA Access Gateway for Citrix NetScaler SDX
  • 25. 25 © 2014 CA. ALL RIGHTS RESERVED. Support for Social Sign-On Overview Simple new user registration increases sign up rate. Use consumer identity for initial customer acquisition and low risk transactions. Collecting identity and device attributes allows for personalized marketing. Seamless sign-on encourages registration and enables targeted marketing. Sign on with stronger credentials when needed for high value transactions.
  • 26. 26 © 2014 CA. ALL RIGHTS RESERVED. Support for Social Sign-On Use Case User initiates a sign-on request using his social sign-on account (OAuth request). User is redirected to the selected remote authorization server and logs in. The OAuth flow is completed via the backchannel. If configured, user information is retrieved from the configured user information URL via the backchannel. Once authorized, the browser is redirected to the configured target page. If authorized but not found in the user store, JIT provisioning process can be launched (first time access/create account).
  • 27. 27 © 2014 CA. ALL RIGHTS RESERVED. Support for Social Sign-On Requirements Pre-configured OAuthauthorization server support for: –Twitter (OAuth1.0a) –Facebook, Google, LinkedIn, Microsoft (OAuth2.0) –Many other OAuthIdentity Providers Client registration with the remote authorization server is required before creating partnership
  • 28. 28 © 2014 CA. ALL RIGHTS RESERVED. Create the local OAuth client entity. Create or modify the remote entity of an authorization server. Create a partnership to configure single sign-on. Migrate an OAuth authentication scheme to OAuthPartnership. Support for Social Sign-OnConfiguration 1 1 2 1 3 1 4
  • 29. 29 © 2014 CA. ALL RIGHTS RESERVED. Support for Social Sign-OnCreate the local OAuthclient identity. Select the appropriate OAuth version for your partnership.
  • 30. 30 © 2014 CA. ALL RIGHTS RESERVED. Support for Social Sign-onModify the remote entity of an authorization server.
  • 31. 31 © 2014 CA. ALL RIGHTS RESERVED. Support for Social Sign-OnModify the remote entity of an authorization server. Google pre-configured remote entity
  • 32. 32 © 2014 CA. ALL RIGHTS RESERVED. Support for Social Sign-OnCreate a partnership to configure single sign-on.
  • 33. 33 © 2014 CA. ALL RIGHTS RESERVED. Support for Social Sign-OnCreate a partnership to configure single sign-on.
  • 34. 34 © 2014 CA. ALL RIGHTS RESERVED. Support for Social Sign-OnCreate a partnership to configure single sign-on.
  • 35. 35 © 2014 CA. ALL RIGHTS RESERVED. Support for Social Sign-OnCreate a partnership to configure single sign-on.
  • 36. 36 © 2014 CA. ALL RIGHTS RESERVED. Support for Social Sign-OnMigrate to OAuthpartnership. Use both the OAuth authentication scheme and an OAuth partnership simultaneously. –Add the new redirect URL to the existing OAuth authentication scheme redirect URL. Use an OAuth partnership instead of the OAuth authentication scheme. –Update the existing redirect URL at the OAuth authorization server to the appropriate partnership redirect URL.
  • 37. 37 © 2014 CA. ALL RIGHTS RESERVED. Lab 1: Social Sign-On IN THIS LABYOU WILL: Create an OAuthPartnership
  • 38. 38 © 2014 CA. ALL RIGHTS RESERVED. Credential Handling ServiceOverview Simplified configuration for letting the end user choose the authentication provider Supports identity providers using federation partnerships Is deployed on the CA Access Gateway
  • 39. 39 © 2014 CA. ALL RIGHTS RESERVED. Credential Handling Service Use Case Make several federated partnerships available for login. The credential handling service shows the partnerships in the group. –An unauthenticated user requests a resource protected by CA SSO and is presented with the choice of identity providers –The user selects an identity provider to authenticate with –The selected partnership is invoked and the user is redirected to the identity provider for login and back to CA SSO –When the user is identified by CA SSO the user is redirected back to the original target page –When the user is not found by CA SSO provisioning can occur
  • 40. 40 © 2014 CA. ALL RIGHTS RESERVED. Credential Handling ServiceRequirements CA Access Gateway Partnership between CA SSO and the enterprise (CA SSO) where protected resources exist Partnership between CA SSO and identity providers
  • 41. 41 © 2014 CA. ALL RIGHTS RESERVED. Configure partnerships to identity providers. Create an authentication method group. Configure a partnership to the enterprise. Credential Handling ServiceConfiguration 1 1 2 1 3 Optionally customize the credential selector page. 1 4
  • 42. 42 © 2014 CA. ALL RIGHTS RESERVED. Credential Handling ServiceLogin Flow Detail (Registered User) An unauthenticated user invokes a partnership with CHS enabled. The user selects an identity provider and signs-on. The identity provider generates an access token and redirects the user to the federation system (relying party). The federation system (relying party) verifies the access token, disambiguates the user, and generates a session. The federation system (asserting party) generates an assertion and redirects the user to the enterprise (relying party). The enterprise (relying party) verifies the assertion and gives the user access to the federated resource.
  • 43. 43 © 2014 CA. ALL RIGHTS RESERVED. Credential Handling ServiceCreate an authentication method group.
  • 44. 44 © 2014 CA. ALL RIGHTS RESERVED. Credential Handling ServiceConfigure a partnership to the enterprise. Partnership based on one of these authentication protocols: –SAML 1.1 –SAML 2.0 –WS-Federation SSO –Authentication mode = Credential Selector –Define the base URL –Select the previously created Authentication Method Group Target Application –SAML1.1: Target –SAML 2.0 and WS-Federation: Relay State Overrides Target
  • 45. 45 © 2014 CA. ALL RIGHTS RESERVED. Credential Handling ServiceCustomize the header or footer. <install_path>CAsecure-proxyTomcatwebappschsjsps Make a copy of the header.jspfile and name the new file header- custom.jsp. Make a copy of the footer.jspfile and name the new file footer- custom.jsp. Customize the new files as needed. Restart CA Access Gateway.
  • 46. 47 © 2014 CA. ALL RIGHTS RESERVED. Lab 2: Credential Handling Service IN THIS LABYOU WILL: Create an Authentication Method Group Enable the Credential Handling Service
  • 48. 49 © 2014 CA. ALL RIGHTS RESERVED. Open Format Cookie = “agentless” SSOOverview Standards-based cookie directly read by applications No agent or proxy installed betweenuser and web server –Lower cost method for accomplishing basic SSO –Web applications decrypt (optional) and consume the standard cookie –Adds flexible option to a customer’s CA SSO architecture For applications that have lower security requirements –No centralized auditing, CA SSO authorization or centralized session control Web Agent in the CA SSO architecture used for protection and cookie generation
  • 49. 50 © 2014 CA. ALL RIGHTS RESERVED. Open Format Cookie Use Case When not possible/not convenient to deploy a Web Agent Less stringent security and session control over applications Generated in response to a successful authentication or authorization event
  • 50. 51 © 2014 CA. ALL RIGHTS RESERVED. Open Format Cookie Configuration
  • 51. Web ServicesSOAP and REST APIs
  • 52. 53 © 2014 CA. ALL RIGHTS RESERVED. SOAP and REST APIsOverview Web service interfaces for authentication and authorization Deployed via CA Access Gateway Supports SOAP (wsdl) and REST (wadl) architectures http(s)://server:port/authazws/auth?wsdl http(s)://server:port/authazws/AuthRestService/application.wadl Lower cost method for integrating CA SSO services Adds flexible option to a customer’s CA SSO architecture
  • 53. 54 © 2014 CA. ALL RIGHTS RESERVED. SOAP and REST APIsOverview Authn/Authzweb services provide following functionality: –login –Authenticates and returns session token (and optional identity token) –blogin–(Boolean login) authenticates and verifies whether login is successful and does not return session token –logout –Logs out the user or group of users –authorize -Returns an authorization status message and a refreshed session token
  • 54. 55 © 2014 CA. ALL RIGHTS RESERVED. SOAP and REST APIs Use Case User accesses mobile gateway via smart phone. Mobile Gateway calls web service interface to authenticate user. Web service validates with CA SSO Policy Server. CA SSO validates/authorizes request. Web service provides validation/authorization status back to mobile gateway via session token. Mobile gateway requests content from web server. Content is returned to user. 1 4 3 5 2 6 7 7 User Web Server Policy Server Secure Proxy Server Mobile Gateway
  • 55. 56 © 2014 CA. ALL RIGHTS RESERVED. SOAP and REST APIsRequirements Determine and register a virtual host name (DNS entry, Hosts file). Protect the web services root URL.
  • 56. 57 © 2014 CA. ALL RIGHTS RESERVED. SOAP and REST APIsRequirements One or more agents to protect target applications against which callers authenticate Realms, user directories, policies and responses that are required for authentication and authorization A client program to issue authn/authzrequest to the web service on behalf of another application (see KB article TEC592437Scenario: Working with the CA Single Sign-On Authentication and Authorization Web Services)
  • 57. 58 © 2014 CA. ALL RIGHTS RESERVED. Create the ACO. Enable the web services. Configure the web services logs (optional). SOAP and REST APIsConfiguration 1 1 2 1 3
  • 58. 59 © 2014 CA. ALL RIGHTS RESERVED. SOAP and REST APIsCreate the ACO. Agentname EnableAuth/ EnableAz RequireAgentEnforcement
  • 59. 60 © 2014 CA. ALL RIGHTS RESERVED. SOAP and REST APIsEnable the Web Services.
  • 60. 61 © 2014 CA. ALL RIGHTS RESERVED. SOAP and REST APIsConfigure the Web Services logs. Open file sps_home/proxy-engine/conf/webservicesagent/ authaz-log4j.xml Un-comment the AuthAZ_ROLLINGappendertag: <appendername="AuthAZ_ROLLING" class="org.apache.log4j.DailyRollingFileAppender"> <paramname="File" value="logs/authazws.log"/> <layout class="org.apache.log4j.PatternLayout"> <paramname="ConversionPattern" value="%d %-5p [%c] -%m%n"/> </layout> </appender> Un-comment all occurrences of appender-ref for the tag: <appender-ref ref="AuthAZ_ROLLING"/> New log file sps_home/proxy-engine/logs/authazws.log
  • 61. 62 © 2014 CA. ALL RIGHTS RESERVED. Lab 3: Web Services IN THIS LABYOU WILL: Enable the authentication and authorization Web Services
  • 62. Enhanced Session Assurance with DeviceDNA
  • 63. 64 © 2014 CA. ALL RIGHTS RESERVED. Enhanced Session Assurance With DeviceDNAOverview Improves upon existing authentication and session persistence capabilities Enhancement to the authentication service and the Policy Server to allow for association of DeviceDNA DeviceDNAis data unique to individual HTTP clients CA Access Gateway and session store required to support the DeviceDNAcollection
  • 64. 65 © 2014 CA. ALL RIGHTS RESERVED. Enhanced Session Assurance With DeviceDNAUse Case Combats session hijacking/session replay Blocks the use of a stolen SMSESSION cookie Included with CA SSO deployment and license (no additional SKUs)
  • 65. 66 © 2014 CA. ALL RIGHTS RESERVED. Enhanced Session Assurance With DeviceDNARequirements Policy Server r12.52 or greater –Installs necessary components silently CA Access Gateway r12.52 or greater Session store Agent configuration object used for CA Access Gateway configuration should have “.sac” in ignore extensions list
  • 66. 67 © 2014 CA. ALL RIGHTS RESERVED. Enhanced Session Assurance With DeviceDNAConfiguration Review the limitations. Configure the CA Access Gateway. Create Enhanced Session Assurance endpoints. 1 1 2 1 3 Add endpoints to realms or applications. 1 4 (Optional) Enable Enhanced Session Assurance on partnerships. 1 5
  • 67. 68 © 2014 CA. ALL RIGHTS RESERVED. Enhanced Session Assurance With DeviceDNALimitations Web 2.0 clients Custom agents Clients that do not support JavaScript and cookies POST preservation Shared workstations Authentication/authorization web services Federation limitations –The SP side of a SAML 2.0 partnership. –HTTP-POST Authentication request bindings on the IDP side of a SAML 2.0 partnership.
  • 68. 69 © 2014 CA. ALL RIGHTS RESERVED. Enhanced Session Assurance With DeviceDNAConfigure the CA Access Gateway environment. Enter the advanced authentication server encryption key (from the installation or upgrade) in all Policy Servers. Enable the encryption by configuring the JVM with the JSafeJCESecurity Provider. If multi-domain SSO is configured using a cookie provider Web Agent, the CA Access Gateway must be configured to run in the same domain as the cookie provider Web Agent.
  • 69. 70 © 2014 CA. ALL RIGHTS RESERVED. Enhanced Session Assurance With DeviceDNACreate Enhanced Session Assurance endpoints. On the Global options, select create Session Assurance Endpoints.
  • 70. 71 © 2014 CA. ALL RIGHTS RESERVED. Enhanced Session Assurance With DeviceDNACreate Enhanced Session Assurance endpoints.
  • 71. 72 © 2014 CA. ALL RIGHTS RESERVED. Enhanced Session Assurance With DeviceDNAAdd endpoints to realms or applications. To protect resources in realms,add session assurance endpoint.
  • 72. 73 © 2014 CA. ALL RIGHTS RESERVED. Enhanced Session Assurance With DeviceDNAEnable Enhanced Session Assurance on partnerships. Available on the following partnerships: –The IdP side of an SP to IdP partnership –The Producer side of a Consumer to Producer partnership –The AP side of an RP to AP partnership
  • 73. 74 © 2014 CA. ALL RIGHTS RESERVED. Lab 4: Session Assurance IN THIS LABYOU WILL: Enable Enhanced Session Assurance with DeviceDNA
  • 74. 75 © 2014 CA. ALL RIGHTS RESERVED. For More Information To learn more about Security, please visit: http://bit.ly/10WHYDm Insert appropriate screenshot and textoverlayfrom following“More Info Graphics” slide here; ensure it links to correct page Security
  • 75. 76 © 2014 CA. ALL RIGHTS RESERVED. For Informational Purposes Only © 2014CA. All rights reserved. All trademarks referenced herein belong to their respective companies. This presentation provided at CA World 2014 is intended for information purposes only and does not form any type of warranty. Some of the specific slides with customer references relate to customer's specific use and experience of CA products and solutionssoactual results may vary. Terms of this Presentation