Custom Authentication Module

This guide provides instructions to configure the HYPR Custom Authentication Scheme in CA Single Sign-On (CA SSO) to enable passwordless authentication.


  • Access to CA SSO administrative console.
  • Access to HYPR Control Center.
  • Contact HYPR support to acquire HYPR Custom Authentication Scheme for CA SSO.(HyprAuthScheme.jar) and HYPR Client SDK (java-client-xxx.jar) JAR files.
  • HYPR Custom Login Form (hypr_login.fcc).
  • A test web app/resource protected with CA SSO. When the user tries to access this web app, CA. SSO will utilize HYPR for passwordless authentication.

Deploy Custom Authentication Scheme JAR files

Stop the CA SSO Policy Server service.

Place JAR files (HyprAuthScheme.jar and java-client-xxx.jar) in the following directory of CA SSO Policy Server:

Edit JVMOptions.txt in a text editor. This file should be located on CA SSO Policy Server in the following directory:

In JVMOptions.txt, locate "-Djava.class.path" parameter and add full paths to above two JAR files as down below.

Start CA SSO Policy Server service.


Configure HYPR Custom Authentication Scheme

Log into CA SSO admin console.

Navigate to:
Infrastructure > Authentication > Authentication Schemes.


Click on "Create Authentication Scheme".
Select "Create a new object of type Authentication Scheme" and click OK.

Field NameDescription
NameEnter a name. For example, HyprAuthScheme
Authentication Scheme TypeCustom Template
Protection LevelEnter a desired Protection level or keep the default value
Password Policies enabled for this Authentication SchemeLeave default value
SecretNot required. Leave it blank
Confirm SecretNot required. Leave it blank
com.netegrity.sdk.javaauthapi.HyprAuthScheme /siteminderagent/forms/hypr_login.fcc;HyprServerBaseURL=;HyprAppId=sampleApp;HyprRegURL=https://

Details are below.

HYPR Custom Authentication Scheme: com.netegrity.sdk.javaauthapi.HyprAuthScheme

Custom login page:
This page does not have a password field as HYPR enables passwordless authentication.

Base URL for your HYPR server.

Application ID from your HYPR Control Center.

If a user attempts passwordless authentication without first registering a device, they will be redirected to this URL/page to initiate a device registration flow.

Note: There is a space between
com.netegrity.sdk.javaauthapi.HyprAuthScheme and
Enable this scheme for CA Single Sign-On AdministratorsNot required. Select per your environment.
Persist Authentication Session VariablesNot required. Select per your environment.

Ensure that there is a space between the Java Class name and other parameters as shown below.


Click Submit.


Select HYPR Authentication Scheme for a Realm

Log into CA SSO admin console.

Navigate to:
Policies > Domain > Domains

Select a domain to edit by clicking on the pencil icon.


Select Realms tab.


Select/edit a realm by clicking on the small arrow icon.

For "Authentication Scheme" expand the drop-down and select "HyprAuthScheme".

Click OK.
Click Submit.


Deploy HYPR Custom Login Form (hypr_login.fcc)

HYPR provides a simple custom login form (hypr_login.fcc) for passwordless authentication. This is a sample form without a password field.

Open hypr_login.fcc in a text editor and replace "" with the URL of your HYPR server.


Deploy hypr_login.fcc to CA SSO Secure Proxy Server. It can be deployed in the following directory:


Figure: hypr_login.fcc

Please note that if you make any changes to hypr_login.fcc, you may need to restart CA Access Gateway Engine service.



Access a CA SSO protected or federated web application. The user will see the hypr_login.fcc.
The user can enter a username and continue with the passwordless authentication flow.