When running a Policy Server to integrate and protect applications with CA API Gateway.
Policy Server 12.8
API Gateway 10.1
According to the documentation, only limited ACO parameters are available to the API Gateway as (1):
ATTR_ACO_SSOZoneName constitutes SSOZoneName property
ATTR_ACO_CookiePath and ATTR_ACO_CookiePathScope constitute Path property
ATTR_ACO_CookieDomain and ATTR_ACO_CookieDomainScope constitute Domain property
ATTR_ACO_PersistentCookies and ATTR_ACO_CookieValidationPeriod constitute Expires property
ATTR_ACO_UseSecureCookies is used to indicate secure flag
ATTR_ACO_UseHttpOnlyCookies is used to indicate http only
And as such, the Web Agent ACO cannot be fully applied to the API Gateway outside those parameters.
Other information about the usage of SMSESSION and ACO (3)(4).
(1)
Fetch ACO Properties to the Gateway Policy for Composing SMSESSION Cookie with SSOToken
The Check Protected Resource Against CA Single Sign-On Assertion
accepts an agent configuration object name. It then fetches the
details from the CA SSO policy server to make it available to the
Gateway policy. The policy author can then use these details to
construct a proper cookie.
The following list of ACO parameters compose the SMSESSION cookie string:
ATTR_ACO_SSOZoneName constitutes SSOZoneName property
ATTR_ACO_CookiePath and ATTR_ACO_CookiePathScope constitute Path property
ATTR_ACO_CookieDomain and ATTR_ACO_CookieDomainScope constitute Domain property
ATTR_ACO_PersistentCookies and ATTR_ACO_CookieValidationPeriod constitute Expires property
ATTR_ACO_UseSecureCookies is used to indicate secure flag
ATTR_ACO_UseHttpOnlyCookies is used to indicate http only
Note: Except for the above ACO parameters, Gateway does not use any other ACO parameters.
(2)
Many assertions can apply to a specific target message: request,
response, or a context variable. The default target depends on
whether the assertion appears before or after a routing assertion.
(3)
How to configure APIM agent to include Client IP in the SSO Token during Authentication
(4)
CA Single Sign-On Authentication and Authorization Errors