Identity Suite SSO Protection
search cancel

Identity Suite SSO Protection

book

Article ID: 91822

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal

Issue/Introduction

We are integrating the Identity Suite with CA SSO. We are looking for some advice on how to best protect the ID Suite Admin console such that it is not accessible from the internet. Once we protect the Admin Portal w/ SSO, this will make it so that anyone with knowledge of the Admin portal URL and admin/password can log in and potentially cause harm through the Admin Portal. We would want to protect the User Portal with SSO, and leave the Admin Portal with native authentication.

Environment

Release:
Component: IDSVA

Resolution

http://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/identity-portal/14-1/integrating/protecting-ca-identity-portal-with-ca-single-sign-on.html#ProtectingCAIdentityPortalwithCASingleSign-On-AddRealmstoCAIdentityPortalDomain

We find this statement: CA SSO Login Page URLs To access the Identity Portal using CA SSO, users should browse to the following CA SSO protected address: /sigma/ if you look at the Realm s config section it asks you to start with the parent resource. unlike IM where the protection is based on /im//* the protection with portal starts at the base /sigma/ then you set sub Realms either protected or unprotected. but we do not document the resources associated with the admin console and differentiate from the user console, probably because of shared resources, such as the logout url and functionality. The protection is all or nothing, you could try to create sub Realm and set it to not protected, but this is not documented and not certified. Basically we have not tried it yet.