Produced by Araxis Merge on 9/9/2019 5:41:51 PM Eastern Daylight Time. See www.araxis.com for information about Merge. This report uses XHTML and CSS2, and is best viewed with a modern standards-compliant browser. For optimum results when printing this report, use landscape orientation and enable printing of background images and colours in your browser.
# | Location | File | Last Modified |
---|---|---|---|
1 | Webvram-v4.zip\20190725-webvram-source.zip\Documents | WebVRAM IA.docx | Tue Jul 23 23:11:38 2019 UTC |
2 | Webvram-v4.zip\20190725-webvram-source.zip\Documents | WebVRAM IA.docx | Thu Sep 5 19:47:44 2019 UTC |
Description | Between Files 1 and 2 |
|
---|---|---|
Text Blocks | Lines | |
Unchanged | 12 | 558 |
Changed | 11 | 22 |
Inserted | 0 | 0 |
Removed | 0 | 0 |
Whitespace | |
---|---|
Character case | Differences in character case are significant |
Line endings | Differences in line endings (CR and LF characters) are ignored |
CR/LF characters | Not shown in the comparison detail |
No regular expressions were active.
1 | SSOi Integ ration Agr eement | |
2 | Please val idate and provide re quired* in formation. | |
3 | Applicatio n Overview | |
4 | IAM SR Num ber: | |
5 | 778 | |
6 | VASI Id: | |
7 | *None | |
8 | Applicatio n Name: | |
9 | *VistA Rem ote Access Managemen t (WebVRAM ) | |
10 | Applicatio n Business Owner: | |
11 | This perso n will be copied on all commun ication re garding SS Oi integra tion miles tones. | |
12 | *Zachary F ain | |
13 | ||
14 | Applicatio n Business Owner Ema il: | |
15 | *PII | |
16 | Applicatio n POC: | |
17 | This is th e person I AM will re ach out to for the i ntegration . | |
18 | *Van Curti s | |
19 | Applicatio n POC Emai l: | |
20 | *PII | |
21 | ||
22 | Applicatio n Technica l POC: | |
23 | This perso n will lea d your app lication t eam in mak ing the ch anges to i ntegrate w ith SSOi. | |
24 | *Christoph er Uyehara | |
25 | Applicatio n Technica l POC Emai l: | |
26 | *PII | |
27 | Background | |
28 | Applicatio n Overview : | |
29 | *The WebVR AM applica tion offer s a soluti on to the business p roblem by allowing s ynchroniza tion of ac count cred entials wi th existin g enterpri se account managemen t system p rovided by the Claim s System i n conjunct ion with b rokering u tilities p rovided by the RPC B roker (Bro ker Securi ty Enhance ment) and the FileMa n Delphi C omponents (FMDC). | |
30 | Users of W ebVRAM wil l be able to take ad vantage of consisten cy in acce ss to disp arate Vist A systems while syst em adminis trators an d systems security p ersonnel e xperience a reductio n in accou nt managem ent activi ties and s tandardiza tion of ac cess accor ding to na tionally-a pproved ac cess stand ards. The expected o utcome is increased efficiency for both OIT and VH A business partners in obtaini ng access to dispara te VistA s ystems and enterpris e-wide dat a required to perfor m VA Natio nal-Level Program bu siness fun ctions. | |
31 | WebVRAM is requestin g integrat ion with I AM SSOi to address t he mandate that all internal, user facin g VA appli cations be come 2 fac tor authen tication c ompliant w ithin the next 13 mo nths. | |
32 | Do all of your appli cation use rs have a VA PIV Car d? | |
33 | If no, exp lain: | |
34 | * Yes | |
35 | Applicatio n Profile [To be com pleted by Technical POC] | |
36 | Is the app lication h osted inte rnally or externally to the VA network? | |
37 | * Internal | |
38 | Production URL | |
39 | * TBD | |
40 | Pre-Produc tion URL | |
41 | * http:// URL /WebVRAMPr eProd | |
42 | Software Q uality Ass urance/Tes t URL | |
43 | * http:// URL /WebVRAMSq a | |
44 | Developmen t URL | |
45 | * http:// URL /WebVRAM | |
46 | ||
47 | System Det ails [To b e complete d by Techn ical POC] | |
48 | Client Arc hitecture | |
49 | [Replace t his text w ith Single Tier or M ulti-Tier from agent perspecti ve.] * | |
50 | Select One of the We b Agent In stallation Location Options * | |
51 | ||
52 | Add agent to current IIS/Apach e (more in fo) | |
53 | ||
54 | ||
55 | Install II S/Apache a nd agent o n current machine (m ore info) | |
56 | ||
57 | ||
58 | Install ne w machine with IIS/A pache, age nt and pro xy (more i nfo) | |
59 | Load Balan cers | |
60 | * None | |
61 | Client Ses sion Timeo ut Value | |
62 | * 30 minut es | |
63 | ||
64 | ||
65 | The follow ing sectio n document s the desi gn and dat a to be ex changed fo r this int egration. | |
66 | SSOi Integ ration Pat tern(s) | |
67 | CA SiteMin der Web Ag ent | |
68 | ||
69 | Integrates the SSOi service wi th web-bas ed or thin -client ap plications , enabling the authe ntication of interna l users, g lobal logo ff, and th e generati on of mana gement rep orts. | |
70 | Note: Appl ication mu st provide infrastru cture to s upport the installat ion of Web Agent on Microsoft IIS or Apa che Window s or Unix/ Linux appr oved versi on. | |
71 | Login Mode l | |
72 | These are the standa rd authent ication me thods IAM SSOi suppo rts. See A ppendix C for the SS Oi Central Login Pag e | |
73 | PIV authen tication [ LOA3] | |
74 | VA Active Directory (username/ password) [LOA2] | |
75 | Integrated Windows A uthenticat ion [LOA2] | |
76 | ||
77 | Yes | |
78 | No | |
79 | Comments | |
80 | Do your us ers requir e a VistA account fo r applicat ion access ? | |
81 | ||
82 | ||
83 | ||
84 | Authentica tion Trait s [To be c onfirmed b y Technica l POC] | |
85 | VA default | |
86 | ||
87 | See Append ix B for d etailed SS Oi Authent ication Tr ait Sets p rovided by IAM SSOi. | |
88 | VHA (inclu des ICN, V istAId) | |
89 | ||
90 | ||
91 | VBA (inclu des Corpor ate Partic ipant ID) | |
92 | ||
93 | ||
94 | Timeout | |
95 | Standard t imeout is 60 minutes | |
96 | Logout Mod el | |
97 | Local appl ication lo gout only: Applicati on logout shall be c onfigured to not log the user out of SSO i; the use r shall be redirecte d to the I AM Authent icated Lan ding Page. | |
98 | ||
99 | Please val idate and provide re quired* in formation. | |
100 | ||
101 | Approval: | |
102 | The applic ation repr esentative s agree to the SSOi integratio n as defin ed above a nd to comp ly with th e requirem ents detai led in App endix A. A dditional technical specificat ions are d etailed in the Inter face Contr ol Documen t (ICD) to be develo ped by the AcS Integ ration tea m in colla boration w ith the Ap plication Developmen t team. | |
103 | Note: Once the Integ ration Agr eement is reviewed a nd finaliz ed, the In tegration Agreement will be se nt to the Applicatio n POC in a n email re questing a pproval. | |
104 | The applic ation repr esentative s include the follow ing: | |
105 | Van Curtis , WebVRAM POC | |
106 | ||
107 | Appendix A : SSOi | |
108 | Background and Refer ence | |
109 | The Identi ty and Acc ess Manage ment (IAM) Single Si gn-On – In ternal (SS Oi) servic e is an au thenticati on service specifica lly design ed for con trolling a ccess for Department of Vetera ns Affairs (VA) inte rnal users (employee s and cont ractors) a ccessing V A applicat ions. This service e nhances th e user exp erience by reducing the time a ssociated with multi ple log-on and log-o ff activit ies that r equire app lication-s pecific id entifiers and passwo rds. The s ervice als o enables enriched p assword ma nagement a nd reducti on in help desk supp ort. | |
110 | Integratio n Requirem ents for C A SiteMind er Web Age nt | |
111 | Note: Web VRAM is th e consumin g applicat ion/system reference d in the i ntegration requireme nts below. | |
112 | Functional Requireme nts for In tegrated A pplication | |
113 | The consum ing applic ation/syst em team sh all instal l and conf igure the web agent or host on the consu ming appli cation/sys tem (web) server bas ed on inst allation a nd configu ration gui delines pr ovided to the consum ing applic ation/syst em team by the Acces s Services (AcS) tea m, enablin g the cons uming appl ication/sy stem to co mmunicate with the P olicy Serv er. | |
114 | The consum ing applic ation/syst em shall i ntegrate w ith the IA M SSOi Web Agent (CA SiteMinde r) in acco rdance wit h the appr oved Inter face Contr ol Documen t (ICD). | |
115 | The consum ing applic ation/syst em shall a uthorize t he user ba sed on the SSOi user session a ttributes in the Gen eral VA de fault Auth entication Trait Set . | |
116 | See Append ix B for d etails of SSOi Authe ntication Trait Sets . | |
117 | The consum ing applic ation/syst em shall r edirect to SSOi when the user initiates the logout . The cons uming appl ication/sy stem logou t shall be configure d to not l og the use r out of S SOi; the c onsuming a pplication /system sh all be red irected to the IAM A uthenticat ed Landing Page. | |
118 | Functional Requireme nts for IA M | |
119 | The IAM fu nctional r equirement s for the consuming applicatio n/system i ntegration are ident ified in t his sectio n. | |
120 | IAM shall provide SS Oi service s using CA SiteMinde r to the c onsuming a pplication /system. | |
121 | SSOi shall provide t he SSOi Ce ntral Logi n Page wit h the foll owing auth entication methods: | |
122 | VA Network User ID/P assword | |
123 | Personal I dentity Ve rification (PIV)/Per sonal Iden tification Number (P IN) | |
124 | Windows Au thenticati on | |
125 | See Append ix C for t he SSOi Ce ntral Logi n Page. | |
126 | SSOi shall perform a uthorizati on based o n the auth orization policy cre ated in SS Oi as defi ned by the consuming applicati on/system. | |
127 | SSOi shall present a n error me ssage if t he consumi ng applica tion/syste m user fai ls to auth enticate t o SSOi. | |
128 | SSOi shall present a n error me ssage if t he consumi ng applica tion/syste m user fai ls to auth orize base d on the a uthorizati on policy. | |
129 | ||
130 | Appendix B : IAM-Prov ided SSOi Authentica tion Trait Sets | |
131 | IAM SSOi w ill provid e the foll owing stan dard user session at tributes. This secti on is prov ided for r eference o nly. | |
132 | Authentica tion Trait (HTTM Hea der for Si teMinder o r Federate d) | |
133 | Source | |
134 | Primary (S econdary) | |
135 | General | |
136 | VA Default | |
137 | VHA | |
138 | VBA | |
139 | Value/Exam ple | |
140 | sessionSco pe | |
141 | ||
142 | X | |
143 | X | |
144 | X | |
145 | Business | |
146 | transactio nid | |
147 | SSOi | |
148 | X | |
149 | X | |
150 | X | |
151 | Run-time | |
152 | issueinsta nt | |
153 | SSOi | |
154 | X | |
155 | X | |
156 | X | |
157 | Run-time | |
158 | authentica tiontype | |
159 | SSOi | |
160 | X | |
161 | X | |
162 | X | |
163 | Indirect | |
164 | ||
165 | proofingau thority | |
166 | SSOi | |
167 | X | |
168 | X | |
169 | X | |
170 | Run-time | |
171 | assurancel evel | |
172 | SSOi | |
173 | X | |
174 | X | |
175 | X | |
176 | 2 (AD) or 3 (PIV) | |
177 | adDomain | |
178 | Prov | |
179 | X | |
180 | X | |
181 | X | |
182 | i.e., DNS | |
183 | samAccount Name | |
184 | Prov | |
185 | X | |
186 | X | |
187 | X | |
188 | i.e., DNS | |
189 | UPN | |
190 | Prov | |
191 | X | |
192 | X | |
193 | X | |
194 | i.e., PII | |
195 | ||
196 | Prov | |
197 | X | |
198 | X | |
199 | X | |
200 | i.e., PII | |
201 | VAUID | |
202 | Prov | |
203 | X | |
204 | X | |
205 | X | |
206 | i.e., DNS | |
207 | First Name | |
208 | Prov | |
209 | X | |
210 | X | |
211 | X | |
212 | i.e., John | |
213 | Last Name | |
214 | Prov | |
215 | X | |
216 | X | |
217 | X | |
218 | i.e., Smit h | |
219 | SecID | |
220 | Prov | |
221 | X | |
222 | X | |
223 | X | |
224 | i.e., 0123 456789 | |
225 | ICN | |
226 | MVI | |
227 | ||
228 | X | |
229 | ||
230 | i.e., 1016 663517V594 031 | |
231 | VistAId | |
232 | Prov | |
233 | ||
234 | X | |
235 | ||
236 | combinatio n of Site+ DUZ | |
237 | i.e., 508| 22228439^P N^508^USVH A|A,590|11 128439^PN^ 590^USVHA| A | |
238 | Corporate Participan t ID | |
239 | MVI | |
240 | ||
241 | ||
242 | X | |
243 | i.e., 0123 456789 | |
244 | DoD EDIPI | |
245 | MVI | |
246 | X | |
247 | X | |
248 | X | |
249 | i.e., 0123 456789 | |
250 | Subject Ro le | |
251 | ||
252 | Prov | |
253 | X | |
254 | X | |
255 | X | |
256 | ||
257 | Subject Or ganization | |
258 | Prov | |
259 | X | |
260 | X | |
261 | X | |
262 | Static | |
263 | Value: Dep artment of Veterans Affairs | |
264 | Subject Or ganization ID | |
265 | Prov | |
266 | X | |
267 | X | |
268 | X | |
269 | Static | |
270 | Value:urn: oid:2.16.8 40.1.11388 3.4.349 | |
271 | The follow ing table provides a legend fo r the valu es found i n the sour ce column of the SSO i Authenti cation Tra its table above. | |
272 | Annotation | |
273 | Source Nam e | |
274 | Source Des cription | |
275 | Prov | |
276 | IAM Provi sioning | |
277 | Informatio n retrieve d from the authorita tive user store | |
278 | MVI | |
279 | IAM MVI | |
280 | Informatio n retrieve d from the authorita tive ident ity store (MVI) base d on the S ecID | |
281 | static OR [value] | |
282 | Static | |
283 | Informatio n that is defined as part of t he specifi cation | |
284 | run-time | |
285 | Run-time | |
286 | Informatio n generate d by SSOi | |
287 | ||
288 | ||
289 | Appendix C : SSOi Cen tral Login Page | |
290 |
Araxis Merge (but not the data content of this report) is Copyright © 1993-2016 Araxis Ltd (www.araxis.com). All rights reserved.