For SSO enabled URL, we have enabled IWA SSO. Users are able to authenticate successfully, incase if IWA fails user will be directed to IWA authentication prompt. 

I would like to know, if IWA fails can we direct the user to other authentication prompt using Failback. Please help asap, this is impacting user experience.

If any questions, I can be reachable at +91 9885938144 during IST time zone (11 AM IST to 10 PM IST).

Release : 12.7

Component : SITEMINDER -WEB AGENT FOR APACHE

Auth chaining is only supported with the authentication schemes used in the chaining hosted on Access Gateway (SPS).

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/configuring/policy-server-configuration/authentication-schemes/authentication-chaining.html

Authentication Chaining supports both kerberos and IWA Failover to a Forms authentication.

If using IWA Authentication, then Access Gateway must be installed on a Supported Windows OS a member server of the domain.

Reference:

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/configuring/policy-server-configuration/authentication-schemes/authentication-chaining/configure-iwa-fallback-to-forms-using-authentication-chain.html

and

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/configuring/ca-access-gateway-configuration/configure-ca-access-gateway-to-support-integrated-windows-authentication.html

To confirm the following requirements for IWA Failover to Forms.

Access Gateway deployed on Support Windows Server
as a member server of the same domain or trusted domain as the users.
Both IWA and Form must be hosted on Access Gateway.