Advanced Desktop Integration
Extend the capabilities of integrated windows authentication
Advanced Desktop Integration for CA Single Sign-On (formerly SiteMinder) extends the capabilities of Integrated Windows Authentication (IWA) beyond a pure Windows environment — providing a seamless fallback from IWA to custom forms-based authentication for CA Single Sign-On -protected applications.
In the office, users can silently authenticate to protected applications based on their Windows authentication. Away from the office, Desktop Integration for CA Single Sign-On displays a custom logon page for authentication. Users do not have to click an alternate URL nor select a menu option; fallback happens automatically.
As an administrator, you define a single policy set enabling IWA authentication with fallback to HTML forms-based authentication.
- Extended web browser support: Firefox, Chrome, and Internet Explorer
- Improved user experience
- Proven, standards-based technologies
- Simplified deployment
Comparison of CA Global Delivery IWA+Forms solution to IDFC’s ADI solution.
|CA GD Solution||IDFC ADI Solution|
|App container||IIS with ASP support installed||Any Java Servlet Container with any front-end web server + agent>[iii]|
|Configurable||No||Yes – all needed parameters are configured via the deployment descriptor and/or SiteMinder responses|
|Allows apps to specify their own login forms||No||Yes – in addition to a default login form, each app protected using ADI can specify its own login form URL|
|Passes OWASP[iv] security scan||No – uses an open redirect relay vulnerable to XSS[v]||Yes – uses a closed, configurable redirect|
|Bypass IWA test by source IP||No||Yes – allows configuration of known source IP networks where IWA is supported|
|Bypass IWA test by OS||No||Yes – will only perform the IWA check for Windows platforms|
|Bypass IWA test for mobile devices||No||Yes – will not perform the IWA check from mobile devices|
|Tested with SM 6, R12, and R12.5||Unknown||Yes – IDFC is actively developing and maintaining this solution|
[i] The GD solution uses the MS ActiveX control which predates AJAX and is deprecated by Microsoft after IE6
[ii] Chrome briefly displays a non-modal dialog when IWA fails – this limitation in inherent in Chrome
[iii] An IIS + agent is still required somewhere in the environment to provide the SM IWA challenge e.g. /siteminderagent/ntlm/creds.ntc
[v] A redirect that allows the browser to specify any arbitrary target URL
Desktop Integration for CA Single Sign-On employs an Apache web server and Tomcat servlet engine. A streamlined deployment package is included. The application will take advantage of IWA and only display a logon page when IWA is not available.