CA APM and CA SAM Authentication
CA APM and CA SAM authentication made easy – v1.1
For a proper integration between APM and CA SAM it is currently required that CA SAM is set up with auth_token
or auth_token_password authentication.
This is required so that the ITAM Home Page can display the CA SAM frame with the links to CA SAM and also act
as the authentication agent for CA SAM. By clicking on the SAM links in ITAM the auth_token authentication will
be transparent for the user and no further login will be necessary on the CA SAM side.
With auth_token_password (below on the right) ITAM can authenticate the user via the ITAM Home Page and the
user still have the option to manually login to CA SAM with user and password. In auth_token (left) the user
manual login option will not be available.
CA APM and CA SAM authentication made easy – V1.1
Below is a list of items required for the integration to work:
1- Make sure that the below keys in APM match the settings in SAM:
Copyright © 2015 CA. All rights reserved.
2
CA APM and CA SAM authentication made easy – V1.1
2- Make sure that the user logged in APM:
a- also exists in CA SAM
b- has CA Software Asset Manager authorization and is Active
c- is granted Data and Application role permissions
d- has the same email or the APM user ID matches with the SAM user’s import_id, depending on what
you have selected for CA SAM SSO field to Authenticate User.
e-
Copyright © 2015 CA. All rights reserved.
3
CA APM and CA SAM authentication made easy – V1.1
If the customer is not concerned about the ITAM Home Page and prefer to setup CA SAM with LDAP or NTLM
authentication this is fine, the integration between the two products will continue to work, organizational data
synchronization, hardware reconciliation and AMS should still work too. The only problem is really the ITAM
Homepage that will display a message that the CA SAM configuration is not properly set and the CA SAM frame
will not appear.
Configuring CA SAM with NTLM authentication
With NTLM authentication the users will not need to type in their credentials in CA SAM as long as:
1- the user logged in the client machine is member of the same domain as the CA SAM server
2- the user has appropriate permissions according to the items a, b and c of the previous section of this
document
The required settings for NTLM are:
1- Configure Authentication for CA SAM website in IIS with Windows Authentication and disable Anonymous
Authentication (if you prefer you can set only the file login.php to Windows Authentication, this also needs
to be done in IIS Manager)
2- In CA SAM navigate to Admin > Sytem and change the Authentication method to ntlm or ntlm_password
(this will give you the option to type in credentials if NTLM fails)
When a user attempts to authenticate against an IIS website the credentials passed to the system are by default
in the format of DOMAIN\username. Usually the system administrator will load the users into CA SAM system and
the login field will be username, without DOMAIN\. By adding the below keys in CA SAM > Admin > Browse
Configuration the system will trim the domain name and will authenticate the user against the loginid in the users
table using the username field only.
Key name: security_ntlm_user_search
Key value: [A-Z0-9]+\\([a-zA-Z0-9]+)
Key name: security_ntlm_user_replace
Key value: \1
Key name: security_ntlm_user_pcre_delimiter
Copyright © 2015 CA. All rights reserved.
4
CA APM and CA SAM authentication made easy – V1.1
Key value: #
Key name: security_ntlm_user_pcre_modifier
Key value: u
Quick troubleshooting tip: if the client browser is asking for credentials, make sure that the CA SAM website was
classified as Intranet zone and that the IE setting ‘Automatic logon only in Intranet zone’ is selected. For browsers
such as Chrome or Firefox manual configuration might be required.
Configuring CA SAM with LDAP authentication
LDAP authentication in CA SAM will require the user to type in credentials at the login page, but the password
does not need to be stored in the users table. The users still need to be loaded in the users table and have usage
rights the same way as in NTLM and auth_token.
Below is a list of keys that need to be added in CA SAM > Admin > Browse Configuration for LDAP authentication
to work:
Key name: security_ldap_auth_attrib
Key value (sample): sAMAccountName
Key meaning: this is the name of the field in Active Directory that CA SAM will look for to match the login
information. Another options could be userPrincipalName, uid.
Key name: security_ldap_base_dn
Key value (sample): cn=Users,dc=mydomain,dc=com
Key meaning: this is the base LDAP directory that CA SAM is going to search for users. In some cases, especially
when using anonymous LDAP binding, due to lack of permissions it is not possible to use the root LDAP directory
(ie. dc=ca,dc=com), therefore a OU (Organizational Unity) or CN (Container) might be necessary.
Key name: security_ldap_version
Key value (sample): 3
Key meaning: Self-explanatory, you can find the supported LDAP versions with a LDAP browser application, for
example LDP.exe. Simply bind the LDAP directory and check the supported versions.
Copyright © 2015 CA. All rights reserved.
5
CA APM and CA SAM authentication made easy – V1.1
Key name: security_ldap_tls
Key value (sample): 0
Key meaning: Self-explanatory, 0 means TLS disabled 1 means TLS enabled, it depends on the LDAP directory.
Key name: security_ldap_port
Key value (sample): 389
Key meaning: Port number that CA SAM will use to connect to the LDAP server, another option would be the
Global Catalog port 3268 if using Active Diretory.
Key name: security_ldap_hostname
Key value (sample): myldapserver.mydomain.com
Key meaning: Hostname of the LDAP server.
Now you just need to set the CA SAM authentication type to ldap or ldap_password.
The two keys below are not required if using anonymous LDAP binding. If this option is not available you will need
to provide credentials for CA SAM to bind the LDAP directory.
Key name: security_ldap_bind_search_dn
Key value (sample): cn=myloginid,ou=Users,dc=mydomain,dc=com
Key meaning: This is the DN of the user that will authenticate CA SAM in the LDAP database.
Key name: security_ldap_bind_search_password
Key value (sample): MyPassword
Key meaning: Password of the binding user. You can (and should) encrypt the password via CA SAM > Admin >
Tools > Encrypt password.
CA Asset Portfolio Manager authentication
CA APM currently handles two different authentication types, both using EEM. It can be either:
1- Form Authentication – user is prompted for user credentials;
Copyright © 2015 CA. All rights reserved.
6
CA APM and CA SAM authentication made easy – V1.1
2- Windows Integrated Authentication – a user logged in to a Windows domain will be automatically logged
in to APM.
For SAM/APM integration purpose either authentication option should behave the same way.
The authentication method can be modified via the CA APM interface, Administration tab, System Configuration,
EEM.
IMPORTANT: please note that regardless of the authentication type selected in APM, EEM will still act as the
authentication agent for APM, therefore the IIS settings should remain the same, in other words Anonymous
Authentication option should be enabled and Windows Authentication should be disabled for the APM sites.
For more detailed steps on how to configure Form or Windows Integrated authentication in APM please refer to
the CA APM Administration Guide under User Roles > Authentication section.
Copyright © 2015 CA. All rights reserved.
7