The CA API Gateway providing user authentication intermediary services must conform to Federal Identity, Credential, and Access Management (FICAM) issued profiles.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-71439	CAGW-GW-000650	SV-86063r1_rule		Medium

Description
Without conforming to FICAM-issued profiles, the information system may not be interoperable with FICAM authentication protocols, such as SAML 2.0 and OpenID 2.0. Use of FICAM-issued profiles addresses open identity management standards. This requirement only applies to components where this is specific to the function of the device or has the concept of a non-organizational user, (e.g., ALG capability that is the front end for an application in a DMZ). CA API Gateway must be capable of producing and validating FICAM-compliant SAML.

Description

Without conforming to FICAM-issued profiles, the information system may not be interoperable with FICAM authentication protocols, such as SAML 2.0 and OpenID 2.0. Use of FICAM-issued profiles addresses open identity management standards. This requirement only applies to components where this is specific to the function of the device or has the concept of a non-organizational user, (e.g., ALG capability that is the front end for an application in a DMZ). CA API Gateway must be capable of producing and validating FICAM-compliant SAML.

STIG	Date
CA API Gateway ALG Security Technical Implementation Guide	2017-04-07

Details

Check Text ( C-71829r1_chk )
Open the CA API GW - Policy Manager and double-click all Registered Services required to conform to FICAM-issued profiles. Verify the "Evaluate SAML Protocol Response" Assertion is included in the policy and set to evaluate only SAML 2.0 responses. Validate all additional parameters within the Assertion are set in accordance with organizational requirements for FICAM-issued profiles. If the "Evaluate SAML Protocol Response" Assertion is not included in the policy and set to evaluate only SAML 2.0 responses, this is a finding.

Check Text ( C-71829r1_chk )

Open the CA API GW - Policy Manager and double-click all Registered Services required to conform to FICAM-issued profiles.

Verify the "Evaluate SAML Protocol Response" Assertion is included in the policy and set to evaluate only SAML 2.0 responses.

Validate all additional parameters within the Assertion are set in accordance with organizational requirements for FICAM-issued profiles.

If the "Evaluate SAML Protocol Response" Assertion is not included in the policy and set to evaluate only SAML 2.0 responses, this is a finding.

Fix Text (F-77757r1_fix)
Open the CA API GW - Policy Manager and double-click all Registered Services required to conform to FICAM issued profiles. Add the "Evaluate SAML Protocol Response" Assertion to the policy and set the SAML Version to 2.0. Set all other configuration parameters within the Assertion to meet organizational requirements for FICAM-issued profiles.