Custom Authentication Module

This guide provides instructions to configure the HYPR Custom Authentication Scheme in CA Single Sign-On (CA SSO) to enable passwordless authentication.

Prerequisites

  • Access to CA SSO administrative console.
  • Access to HYPR Control Center.
  • Contact HYPR support to acquire HYPR Custom Authentication Scheme for CA SSO.(HyprAuthScheme.jar) and HYPR Client SDK (java-client-xxx.jar) JAR files.
  • HYPR Custom Login Form (hypr_login.fcc).
  • A test web app/resource protected with CA SSO. When the user tries to access this web app, CA. SSO will utilize HYPR for passwordless authentication.

Deploy Custom Authentication Scheme JAR files

Stop the CA SSO Policy Server service.

Place JAR files (HyprAuthScheme.jar and java-client-xxx.jar) in the following directory of CA SSO Policy Server:
<Install_Dir>/CA/siteminder/bin/thirdparty/

Edit JVMOptions.txt in a text editor. This file should be located on CA SSO Policy Server in the following directory:
<Install_Dir>/CA/siteminder/config

In JVMOptions.txt, locate "-Djava.class.path" parameter and add full paths to above two JAR files as down below.

Start CA SSO Policy Server service.

;C:/CA/siteminder/bin/thirdparty/HyprAuthScheme.jar;C:/CA/siteminder/bin/thirdparty/java-client-3.2.1.jar

Configure HYPR Custom Authentication Scheme

Log into CA SSO admin console.

Navigate to:
Infrastructure > Authentication > Authentication Schemes.

Click on "Create Authentication Scheme".
Select "Create a new object of type Authentication Scheme" and click OK.

Field Name

Description

Name

Enter a name. For example, HyprAuthScheme

Authentication Scheme Type

Custom Template

Protection Level

Enter a desired Protection level or keep the default value

Password Policies enabled for this Authentication Scheme

Leave default value

Library

smjavaapi

Secret

Not required. Leave it blank

Confirm Secret

Not required. Leave it blank

Parameter

Example:
com.netegrity.sdk.javaauthapi.HyprAuthScheme /siteminderagent/forms/hypr_login.fcc;HyprServerBaseURL=https://test.gethypr.com;HyprAppId=sampleApp;HyprRegURL=https://https://test.gethypr.com/hyprsp

Details are below.

HYPR Custom Authentication Scheme: com.netegrity.sdk.javaauthapi.HyprAuthScheme

Custom login page:
/siteminderagent/forms/hypr_login.fcc
This page does not have a password field as HYPR enables passwordless authentication.

HyprServerBaseURL:
Base URL for your HYPR server.

HyprAppId:
Application ID from your HYPR Control Center.

HyprRegURL:
If a user attempts passwordless authentication without first registering a device, they will be redirected to this URL/page to initiate a device registration flow.

Note: There is a space between
com.netegrity.sdk.javaauthapi.HyprAuthScheme and
/siteminderagent/forms/hypr_login.fcc

Enable this scheme for CA Single Sign-On Administrators

Not required. Select per your environment.

Persist Authentication Session Variables

Not required. Select per your environment.

Ensure that there is a space between the Java Class name and other parameters as shown below.

Click Submit.

Select HYPR Authentication Scheme for a Realm

Log into CA SSO admin console.

Navigate to:
Policies > Domain > Domains

Select a domain to edit by clicking on the pencil icon.

Select Realms tab.

Select/edit a realm by clicking on the small arrow icon.

For "Authentication Scheme" expand the drop-down and select "HyprAuthScheme".

Click OK.
Click Submit.

Deploy HYPR Custom Login Form (hypr_login.fcc)

HYPR provides a simple custom login form (hypr_login.fcc) for passwordless authentication. This is a sample form without a password field.

Open hypr_login.fcc in a text editor and replace "https://your_hypr_Server.com/hyprsp" with the URL of your HYPR server.

Deploy hypr_login.fcc to CA SSO Secure Proxy Server. It can be deployed in the following directory:
<Install_Dir>/CA/secure-proxy/proxy-engine/examples/siteminderagent/forms

Figure: hypr_login.fccFigure: hypr_login.fcc

Figure: hypr_login.fcc

Please note that if you make any changes to hypr_login.fcc, you may need to restart CA Access Gateway Engine service.

Testing

Access a CA SSO protected or federated web application. The user will see the hypr_login.fcc.
The user can enter a username and continue with the passwordless authentication flow.