The CA API Gateway providing user authentication intermediary services must conform to Federal Identity, Credential, and Access Management (FICAM) issued profiles.

From CA API Gateway ALG Security Technical Implementation Guide

Part of SRG-NET-000349-ALG-000106

Associated with: CCI-002014

SV-86063r1_rule The CA API Gateway providing user authentication intermediary services must conform to Federal Identity, Credential, and Access Management (FICAM) issued profiles.

Vulnerability discussion

Without conforming to FICAM-issued profiles, the information system may not be interoperable with FICAM authentication protocols, such as SAML 2.0 and OpenID 2.0.Use of FICAM-issued profiles addresses open identity management standards.This requirement only applies to components where this is specific to the function of the device or has the concept of a non-organizational user, (e.g., ALG capability that is the front end for an application in a DMZ).CA API Gateway must be capable of producing and validating FICAM-compliant SAML.

Check content

Open the CA API GW - Policy Manager and double-click all Registered Services required to conform to FICAM-issued profiles. Verify the "Evaluate SAML Protocol Response" Assertion is included in the policy and set to evaluate only SAML 2.0 responses. Validate all additional parameters within the Assertion are set in accordance with organizational requirements for FICAM-issued profiles. If the "Evaluate SAML Protocol Response" Assertion is not included in the policy and set to evaluate only SAML 2.0 responses, this is a finding.

Fix text

Open the CA API GW - Policy Manager and double-click all Registered Services required to conform to FICAM issued profiles. Add the "Evaluate SAML Protocol Response" Assertion to the policy and set the SAML Version to 2.0. Set all other configuration parameters within the Assertion to meet organizational requirements for FICAM-issued profiles.

Pro Tips

Powered by sagemincer