Using CA API Gateway to authenticate users against CA Single Sign On

book

Article ID: 142972

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

When running a Policy Server to integrate and protect applications with CA API Gateway.

  1.   What changes need to be done concerning the below

       - Agent type;
       - Agent Configuration Object;

  2.   Currently, LogoffUri has been configured in ACO, how this will differ in the case of CA API Gateway?
  3.   Anything else needs to be considered?

Environment

 

Policy Server 12.8
API Gateway 10.1

 

Resolution

 

According to the documentation, only limited ACO parameters are available to the API Gateway as (1):

   ATTR_ACO_SSOZoneName constitutes SSOZoneName property
   ATTR_ACO_CookiePath and ATTR_ACO_CookiePathScope constitute Path property
   ATTR_ACO_CookieDomain and ATTR_ACO_CookieDomainScope constitute Domain property
   ATTR_ACO_PersistentCookies and ATTR_ACO_CookieValidationPeriod constitute Expires property
   ATTR_ACO_UseSecureCookies is used to indicate secure flag
   ATTR_ACO_UseHttpOnlyCookies is used to indicate http only

And as such, the Web Agent ACO cannot be fully applied to the API Gateway outside those parameters.

  1. Agent type doesn't have to be manually changed, the API Gateway having the SDK installed creates all needed information for the connection to the Policy Server; The ACO is limited to the configuration you want to set for the zone or cookie domain name and cookie flags.
  2. LogoffURI will not be applicable as per the reason mentioned above; It seems that you may use a Target message to configure a "logoffuri" (2); again please consult Service Department to get their experience in such implementation.

Other information about the usage of SMSESSION and ACO (3)(4).

 

Additional Information

 

(1)

    Fetch ACO Properties to the Gateway Policy for Composing SMSESSION Cookie with SSOToken

     The Check Protected Resource Against CA Single Sign-On Assertion
     accepts an agent configuration object name. It then fetches the
     details from the CA SSO policy server to make it available to the
     Gateway policy. The policy author can then use these details to
     construct a proper cookie.

     The following list of ACO parameters compose the SMSESSION cookie string:

       ATTR_ACO_SSOZoneName constitutes SSOZoneName property
       ATTR_ACO_CookiePath and ATTR_ACO_CookiePathScope constitute Path property
       ATTR_ACO_CookieDomain and ATTR_ACO_CookieDomainScope constitute Domain property
       ATTR_ACO_PersistentCookies and ATTR_ACO_CookieValidationPeriod constitute Expires property
       ATTR_ACO_UseSecureCookies is used to indicate secure flag
       ATTR_ACO_UseHttpOnlyCookies is used to indicate http only

     Note: Except for the above ACO parameters, Gateway does not use any other ACO parameters.

    

(2)

    Select a Target Message

      Many assertions can apply to a specific target message: request,
      response, or a context variable. The default target depends on
      whether the assertion appears before or after a routing assertion.

    

(3)

    How to configure APIM agent to include Client IP in the SSO Token during Authentication
    

(4)
  
    CA Single Sign-On Authentication and Authorization Errors