Client authentication vulnerability concerns with identity Manager
book
Article ID: 190102
calendar_today
Updated On:
Products
CA Identity ManagerCA Identity GovernanceCA Identity PortalCA Identity Suite
Issue/Introduction
We have the below vulnerability concern in IDM.
TEWS and UWS services have no apparent client application authentication or authorization. This makes it difficult to ensure only valid clients are operating on customer identities and trace all flows of a particular kind (e.g. pwd reset). Application clients of this api should authenticate and be authorized for specific methods needed. Dev framework, OAuth CCG are a few acceptable ways to accomplish this. This allows for tracking of clients and provides control over the most sensitive methods (e.g. login with uuid/username, reset password, etc).
Does IDM have any authentication mechanism to validate the client before servicing their request?
Environment
Release :
Component : IdentityMinder(Identity Manager)
Resolution
In Identity Manager, Authentication and Authorization are performed based on user, and according to assigned roles, not per client service or a calling application.
Broadcom does have other security products available that can monitor and control which apps, devices, IPs (etc.) access a web site, but IDM itself does not include this functionality.
Your Broadcom account team will be able to direct you to the appropriate solutions.