We're running a Policy Server and we'd like to integrate and protect
application with CA API Gateway.

WE have mainly 3 questions regarding this :

  1. What changes needs to be done with respect to below ?

    - Agent type;
    - Agent Configuration Object;

  2. Currently LogoffUri has been configured in ACO, how this will
     differ in case of CA API Gateway ?

  3. Anything else needs to be considered ?

Policy Server 12.7

API Gateway 9.4

According to the documentation, it seems that only
limited ACO parameters are available to the API Gateway as

   ATTR_ACO_SSOZoneName constitutes SSOZoneName property
   ATTR_ACO_CookiePath and ATTR_ACO_CookiePathScope constitute Path property
   ATTR_ACO_CookieDomain and ATTR_ACO_CookieDomainScope constitute Domain property
   ATTR_ACO_PersistentCookies and ATTR_ACO_CookieValidationPeriod constitute Expires property
   ATTR_ACO_UseSecureCookies is used to indicate secure flag
   ATTR_ACO_UseHttpOnlyCookies is used to indicate http only

And as such, you cannot move the Web Agent ACO to the API Gateway
outside those parameters.

1. Agent type doesn't has to be manually changed, the API Gateway
   having the SDK installed create all needed information for
   connection to the Policy Server; The ACO is limited to the
   configuration you want to set for the zone or cookie domain name and
   cookie flags.

2. LogoffURI will not be applicable as per the reason mentioned
   above; It seems that you may use a Target message to configure a
   "logoffuri"; again please consult Service Department to get their
   experience in such implementation.

ACO is limited to 6 parameters only :

  CA API GATEWAY 9.4

   Fetch ACO Properties to the Gateway Policy for Composing SMSESSION Cookie with SSOToken

   The Check Protected Resource Against CA Single Sign-On Assertion
   accepts an agent configuration object name. It then fetches the
   details from the CA SSO policy server to make it available to the
   Gateway policy. The policy author can then use these details to
   construct a proper cookie.

   The following list of ACO parameters compose the SMSESSION cookie string:

     ATTR_ACO_SSOZoneName constitutes SSOZoneName property
     ATTR_ACO_CookiePath and ATTR_ACO_CookiePathScope constitute Path property
     ATTR_ACO_CookieDomain and ATTR_ACO_CookieDomainScope constitute Domain property
     ATTR_ACO_PersistentCookies and ATTR_ACO_CookieValidationPeriod constitute Expires property
     ATTR_ACO_UseSecureCookies is used to indicate secure flag
     ATTR_ACO_UseHttpOnlyCookies is used to indicate http only

   Note: Except for the above ACO parameters, Gateway does not use any other ACO parameters.

  https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-gateway/9-4/reference/context-variables/ca-single-sign-on-context-variables.html

The redirection can be set using target messages :

  Select a Target Message

    Many assertions can apply to a specific target message: request,
    response, or a context variable. The default target depends on
    whether the assertion appears before or after a routing assertion.

  https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-gateway/9-4/policy-assertions/how-to-assertions/select-a-target-message.html

Further reading :

  How to configure APIM agent to include Client IP in the SSO Token during Authentication
  https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=116464

  CA Single Sign-On Authentication and Authorization Errors
  https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-gateway/9-4/reference/troubleshoot-the-gateway/ca-single-sign-on-errors.html