search cancel

Client authentication vulnerability concerns with identity Manager

book

Article ID: 190102

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal CA Identity Suite

Issue/Introduction

 
We have the below vulnerability concern in IDM.

TEWS and UWS services have no apparent client application authentication or authorization. This makes it difficult to ensure only valid clients are operating on customer identities and trace all flows of a particular kind (e.g. pwd reset). Application clients of this api should authenticate and be authorized for specific methods needed. Dev framework, OAuth CCG are a few acceptable ways to accomplish this. This allows for tracking of clients and provides control over the most sensitive methods (e.g. login with uuid/username, reset password, etc).

Does IDM have any authentication mechanism to validate the client before servicing their request?

Environment

Release :

Component : IdentityMinder(Identity Manager)

Resolution

In Identity Manager, Authentication and Authorization are performed based on user, and according to assigned roles, not per client service or a calling application.

Broadcom does have other security products available that can monitor and control which apps, devices, IPs (etc.) access a web site, but IDM itself does not include this functionality.

Your Broadcom account team will be able to direct you to the appropriate solutions.