Custom Authentication Module

This guide provides instructions to configure the HYPR Custom Authentication Scheme in CA Single Sign-On (CA SSO) to enable passwordless authentication.

Prerequisites

  • Access to CA SSO administrative console.
  • Access to HYPR Control Center.
  • Contact HYPR support to acquire HYPR Custom Authentication Scheme for CA SSO.(HyprAuthScheme.jar) and HYPR Client SDK (java-client-xxx.jar) JAR files.
  • HYPR Custom Login Form (hypr_login.fcc).
  • A test web app/resource protected with CA SSO. When the user tries to access this web app, CA. SSO will utilize HYPR for passwordless authentication.

Deploy Custom Authentication Scheme JAR files

Stop the CA SSO Policy Server service.

Place JAR files (HyprAuthScheme.jar and java-client-xxx.jar) in the following directory of CA SSO Policy Server:
<Install_Dir>/CA/siteminder/bin/thirdparty/

Edit JVMOptions.txt in a text editor. This file should be located on CA SSO Policy Server in the following directory:
<Install_Dir>/CA/siteminder/config

In JVMOptions.txt, locate "-Djava.class.path" parameter and add full paths to above two JAR files as down below.

Start CA SSO Policy Server service.

;C:/CA/siteminder/bin/thirdparty/HyprAuthScheme.jar;C:/CA/siteminder/bin/thirdparty/java-client-3.2.1.jar

Configure HYPR Custom Authentication Scheme

Log into CA SSO admin console.

Navigate to:
Infrastructure > Authentication > Authentication Schemes.

498498

Click on "Create Authentication Scheme".
Select "Create a new object of type Authentication Scheme" and click OK.

842842
Field NameDescription
NameEnter a name. For example, HyprAuthScheme
Authentication Scheme TypeCustom Template
Protection LevelEnter a desired Protection level or keep the default value
Password Policies enabled for this Authentication SchemeLeave default value
Librarysmjavaapi
SecretNot required. Leave it blank
Confirm SecretNot required. Leave it blank
ParameterExample:
com.netegrity.sdk.javaauthapi.HyprAuthScheme /siteminderagent/forms/hypr_login.fcc;HyprServerBaseURL=https://test.gethypr.com;HyprAppId=sampleApp;HyprRegURL=https://https://test.gethypr.com/hyprsp

Details are below.

HYPR Custom Authentication Scheme: com.netegrity.sdk.javaauthapi.HyprAuthScheme

Custom login page:
/siteminderagent/forms/hypr_login.fcc
This page does not have a password field as HYPR enables passwordless authentication.

HyprServerBaseURL:
Base URL for your HYPR server.

HyprAppId:
Application ID from your HYPR Control Center.

HyprRegURL:
If a user attempts passwordless authentication without first registering a device, they will be redirected to this URL/page to initiate a device registration flow.

Note: There is a space between
com.netegrity.sdk.javaauthapi.HyprAuthScheme and
/siteminderagent/forms/hypr_login.fcc
Enable this scheme for CA Single Sign-On AdministratorsNot required. Select per your environment.
Persist Authentication Session VariablesNot required. Select per your environment.
530530

Ensure that there is a space between the Java Class name and other parameters as shown below.

21482148

Click Submit.

13221322

Select HYPR Authentication Scheme for a Realm

Log into CA SSO admin console.

Navigate to:
Policies > Domain > Domains

Select a domain to edit by clicking on the pencil icon.

22582258

Select Realms tab.

22422242

Select/edit a realm by clicking on the small arrow icon.

For "Authentication Scheme" expand the drop-down and select "HyprAuthScheme".

Click OK.
Click Submit.

13901390

Deploy HYPR Custom Login Form (hypr_login.fcc)

HYPR provides a simple custom login form (hypr_login.fcc) for passwordless authentication. This is a sample form without a password field.

Open hypr_login.fcc in a text editor and replace "https://your_hypr_Server.com/hyprsp" with the URL of your HYPR server.

19581958

Deploy hypr_login.fcc to CA SSO Secure Proxy Server. It can be deployed in the following directory:
<Install_Dir>/CA/secure-proxy/proxy-engine/examples/siteminderagent/forms

14101410

Figure: hypr_login.fcc

Please note that if you make any changes to hypr_login.fcc, you may need to restart CA Access Gateway Engine service.

605605

Testing

Access a CA SSO protected or federated web application. The user will see the hypr_login.fcc.
The user can enter a username and continue with the passwordless authentication flow.