ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Failback Authentication mechanism

book

Article ID: 198954

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

For SSO enabled URL, we have enabled IWA SSO. Users are able to authenticate successfully, incase if IWA fails user will be directed to IWA authentication prompt. 

I would like to know, if IWA fails can we direct the user to other authentication prompt using Failback. Please help asap, this is impacting user experience.

If any questions, I can be reachable at +91 9885938144 during IST time zone (11 AM IST to 10 PM IST).

Environment

Release : 12.7

Component : SITEMINDER -WEB AGENT FOR APACHE

Resolution

Auth chaining is only supported with the authentication schemes used in the chaining hosted on Access Gateway (SPS).

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/configuring/policy-server-configuration/authentication-schemes/authentication-chaining.html

Authentication Chaining supports both kerberos and IWA Failover to a Forms authentication.

If using IWA Authentication, then Access Gateway must be installed on a Supported Windows OS a member server of the domain.

Reference:

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/configuring/policy-server-configuration/authentication-schemes/authentication-chaining/configure-iwa-fallback-to-forms-using-authentication-chain.html

and

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/configuring/ca-access-gateway-configuration/configure-ca-access-gateway-to-support-integrated-windows-authentication.html

To confirm the following requirements for IWA Failover to Forms.

Access Gateway deployed on Support Windows Server
as a member server of the same domain or trusted domain as the users.
Both IWA and Form must be hosted on Access Gateway.