API Gateway , Error in Authenticate against federated Identity Provider assertion.


Article ID: 143346


Updated On:


CA API Gateway


When using a federated identity provider with Credential Source Type Allowed as "X.509 Certificate", Trusted Certificates as a " certificate " and Certificate Validation Options as "Validate"

We have created two federated users by setting X509 Subject DN of two certs "certificate2" and "certificate3" issued by certificate1.

My requirement is to allow only "certificate2" and "certificate3" access , but it allows all the certs issued by certificate1.


Release : 9.3

Component : API GATEWAY


This is the  expected behavior , when you use the authenticate against  IDP assertion with a federated identity provider configured as above.

This will allow all request with a valid certificate signed by certificate1 access .

You have to solve this in the policy you create . If the subject dn is matched the variable ${authenticatedUser.login} is set and you can use this to match the user .  if the dn can not be matched it is empty , you need to test for this in your policy

A other solution would be to use the authenticate user or group against the idp instead off the authenticate against  IDP assertion.