search cancel

2 factor authentictaion function in Automic

book

Article ID: 230250

calendar_today

Updated On:

Products

CA Automic Workload Automation - Automation Engine

Issue/Introduction

How to enable the 2 factor authentication for Automic. 

Environment

Release : 12.3

Component :

Resolution

Example how to set up Auth0 (auth0.com) as SAML IdP for SSO with the Automation Engine

  1. Create an account at auth0.com
  2. Users and Roles -> User -> create one or more AE users
    • The user name has to match with the user name in the  AE (without the department part). Alternatively, the name part in the email address can be used for mapping the AE username. If this should be the case, remove the first entry in settings under "nameIdentifierProbes": (see below). 
    • create user with EMAIL address and later edit the user and change the name to the AE name needed
  3. Multifactor Authentication: navigate to the Multifactor Auth section.
    • Chose the the MFA method which should be used.
    • For Push, install the Auth0 Guardian app on your mobile.

  4. Applications -> Create Application -> create a Regular Web Applications and give it a name e.g. AE.
    • Ignore the part  "What technology are you using for your web app?" and select Addons from the title bar

    • Chose SAML2 Web App
    • Application Callback URL: enter the URL where your AWI is reachable
    • Settings: Replace the contents from the settings field with the following and save it:
      {  
        "nameIdentifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
        "nameIdentifierProbes": [
          "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
          "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
        ],
        "mappings": {},
        "createUpnClaim": false,
        "passthroughClaimsWithNoMapping": false,
        "mapUnknownClaimsAsIs": false,
        "mapIdentities": false,
        "signatureAlgorithm": "rsa-sha256",
        "signResponse": true

      }
    • Select Usage from the title bar and click Download in the Metadata section.

  5. In UC_SAML_SETTINGS: create a department key e.g. AUTH0, and use the downloaded metatata for the value.
    • IMPORTANT: auth0 supports to sign either the whole response OR the assertion only but not both. AE expects both to be signed by default, but at least the response. In the auth0 settings above, the parameter  "signResponse": true ensures, that the response is signedYou have to adjust this in the *SP metadata as well by setting:
      <md:EntityDescriptor .....">
          <md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="false"
        
  6. Login by using SAML as Login Type and according to previous example AUTH0 for the department.
    • You should now be redirected to the IdP where you have to authenticate once with the credentials defined in the user settings. 
    • If MFA is enabled and the Auth0 Guardian app is installed on your mobile, you should have got an authentication request on your mobile.  Confirm it.
    • Now the IdP returns a SAML assertion.  If the user name returned from auth0 matches a user in the AE with department AUTH0 the response should be validated successfully and you are logged in. 
    • The next login request is processed automatically without the need to enter your credentials again.