The CA API Gateway providing user authentication intermediary services must conform to Federal Identity, Credential, and Access Management (FICAM) issued profiles.
An XCCDF Rule
Description
<VulnDiscussion>Without conforming to FICAM-issued profiles, the information system may not be interoperable with FICAM authentication protocols, such as SAML 2.0 and OpenID 2.0. Use of FICAM-issued profiles addresses open identity management standards. This requirement only applies to components where this is specific to the function of the device or has the concept of a non-organizational user, (e.g., ALG capability that is the front end for an application in a DMZ). CA API Gateway must be capable of producing and validating FICAM-compliant SAML.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-86063r1_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Open the CA API GW - Policy Manager and double-click all Registered Services required to conform to FICAM issued profiles.
Add the "Evaluate SAML Protocol Response" Assertion to the policy and set the SAML Version to 2.0.
Set all other configuration parameters within the Assertion to meet organizational requirements for FICAM-issued profiles.