Advanced Desktop Integration

Extend the capabilities of integrated windows authentication

Advanced Desktop Integration for CA Single Sign-On (formerly SiteMinder) extends the capabilities of Integrated Windows Authentication (IWA) beyond a pure Windows environment — providing a seamless fallback from IWA to custom forms-based authentication for CA Single Sign-On -protected applications.
In the office, users can silently authenticate to protected applications based on their Windows authentication. Away from the office, Desktop Integration for CA Single Sign-On displays a custom logon page for authentication. Users do not have to click an alternate URL nor select a menu option; fallback happens automatically.
As an administrator, you define a single policy set enabling IWA authentication with fallback to HTML forms-based authentication.

Features

  • Extended web browser support: Firefox, Chrome, and Internet Explorer
  • Improved user experience
  • Proven, standards-based technologies
  • Simplified deployment

Comparison of CA Global Delivery IWA+Forms solution to IDFC’s ADI solution.

  CA GD Solution IDFC ADI Solution
Uses AJAX No[i] Yes
Supports Firefox No Yes
Supports Chrome No Yes[ii]
App container IIS with ASP support installed Any Java Servlet Container with any front-end web server + agent>[iii]
Configurable No Yes – all needed parameters are configured via the deployment descriptor and/or SiteMinder responses
Allows apps to specify their own login forms No Yes – in addition to a default login form, each app protected using ADI can specify its own login form URL
Passes OWASP[iv] security scan No – uses an open redirect relay vulnerable to XSS[v] Yes – uses a closed, configurable redirect
Bypass IWA test by source IP No Yes – allows configuration of known source IP networks where IWA is supported
Bypass IWA test by OS No Yes – will only perform the IWA check for Windows platforms
Bypass IWA test for mobile devices No Yes – will not perform the IWA check from mobile devices
Tested with SM 6, R12, and R12.5 Unknown Yes – IDFC is actively developing and maintaining this solution

[i] The GD solution uses the MS ActiveX control which predates AJAX and is deprecated by Microsoft after IE6

[ii] Chrome briefly displays a non-modal dialog when IWA fails – this limitation in inherent in Chrome

[iii] An IIS + agent is still required somewhere in the environment to provide the SM IWA challenge e.g. /siteminderagent/ntlm/creds.ntc

[v] A redirect that allows the browser to specify any arbitrary target URL

Implementation

Desktop Integration for CA Single Sign-On employs an Apache web server and Tomcat servlet engine. A streamlined deployment package is included. The application will take advantage of IWA and only display a logon page when IWA is not available.

Contact Us for Assistance