Advanced Desktop Integration for CA Single Sign-On (formerly SiteMinder) extends the capabilities of Integrated Windows Authentication (IWA) beyond a pure Windows environment — providing a seamless fallback from IWA to custom forms-based authentication for CA Single Sign-On -protected applications.
In the office, users can silently authenticate to protected applications based on their Windows authentication. Away from the office, Desktop Integration for CA Single Sign-On displays a custom logon page for authentication. Users do not have to click an alternate URL nor select a menu option; fallback happens automatically.
As an administrator, you define a single policy set enabling IWA authentication with fallback to HTML forms-based authentication.
Features
- Extended web browser support: Firefox, Chrome, and Internet Explorer
- Improved user experience
- Proven, standards-based technologies
- Simplified deployment
Comparison
Compare CA Global Delivery IWA+Forms solution to IDFC’s ADI solution.
| CA GD Solution | IDFC ADI Solution | |
| Uses AJAX | No[i] | Yes |
| Supports Firefox | No | Yes |
| Supports Chrome | No | Yes[ii] |
| App container | IIS with ASP support installed | Any Java Servlet Container with any front-end web server + agent>[iii] |
| Configurable | No | Yes – all needed parameters are configured via the deployment descriptor and/or SiteMinder responses |
| Allows apps to specify their own login forms | No | Yes – in addition to a default login form, each app protected using ADI can specify its own login form URL |
| Passes OWASP[iv] security scan | No – uses an open redirect relay vulnerable to XSS[v] | Yes – uses a closed, configurable redirect |
| Bypass IWA test by source IP | No | Yes – allows configuration of known source IP networks where IWA is supported |
| Bypass IWA test by OS | No | Yes – will only perform the IWA check for Windows platforms |
| Bypass IWA test for mobile devices | No | Yes – will not perform the IWA check from mobile devices |
| Tested with SM 6, R12, and R12.5 | Unknown | Yes – IDFC is actively developing and maintaining this solution |
[i] The GD solution uses the MS ActiveX control which predates AJAX and is deprecated by Microsoft after IE6
[ii] Chrome briefly displays a non-modal dialog when IWA fails – this limitation in inherent in Chrome
[iii] An IIS + agent is still required somewhere in the environment to provide the SM IWA challenge e.g. /siteminderagent/ntlm/creds.ntc
[v] A redirect that allows the browser to specify any arbitrary target URL
Implementation
Desktop Integration for CA Single Sign-On employs an Apache web server and Tomcat servlet engine. A streamlined deployment package is included. The application will take advantage of IWA and only display a logon page when IWA is not available.