ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Siteminder and API Gateway JWT authentication without SMSESSION

book

Article ID: 228008

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Secure Proxy Server (SiteMinder) CA API Gateway

Issue/Introduction

 

When running CA Access Gateway (SPS) integrated with API Gateway :

  1. How does user can authentication on CA API gateway through CA
     Single Sign-On Assertions using JWT Authentication Scheme enabled
     on Siteminder (1) ?
  
  2. How the subsequent authorization works after user successfully
     authenticated at Siteminder with JWT Authentication Scheme ? Is
     Siteminder responsible for issuing JWT here which will be
     exchanged in all communications ?

 

Resolution

 

At first glance, initial user login should happen in an external
application. From this application, the browser sends the JWT token to
CA Access Gateway (SPS). CA Access Gateway (SPS) doesn't create the
JWT token. The same applies to CA API Gateway. The JWT token should be
created outside CA Access Gateway (SPS) and CA API Gateway. The JWT
token should be created by a specific API like accessing the following
page https://jwt.io/.

When using the JWT Authentication Scheme on Siteminder, a successful
authentication can produce a SMSESSION cookie which may be used to
access other Siteminder protected resource with other Authentication
Schemes.

More, when there's no SMSESSION cookie produced, on each request, the
JWT token should be sent in order for the Policy Server to be able to
authorize access to the resource as mentioned in the documentation
(2).

On CA API Gateway, if you want to implement JWT token with Siteminder,
you should enable the SMSESSION cookie to be produced. If not, then
there's no reason to use CA Single Sign-On assertion to protect the
resource on CA API Gateway (3)(4).

In the configuration of the JWT Authentication Scheme, Siteminder only
consumes the JWT token. It doesn't create it. JWT token isn't basic
authentication neither.

As per API Gateway documentation, the generated JWT Token can be
passed to the CA SSO using an assertion (5).

 

Additional Information

 

(1)

    JSON Web Token (JWT) Authentication Scheme (Release 12.8.03 and Later)
    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/policy-server-configuration/authentication-schemes/json-web-token-jwt-authentication-scheme.html

(2)

    JSON Web Token (JWT) Authentication Scheme (Release 12.8.03 and Later)

      When there is no SMSESSION generated, user must resend JWTs for
      authentication to access the same resource or another protected
      resource.

    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/policy-server-configuration/authentication-schemes/json-web-token-jwt-authentication-scheme.html

(3)

    Signed JWT Authentication Using CA Single Sign-On Assertions

      Add the Require HTTP Cookie Assertion and configure it as follows:

 Cookie name: SMSESSION Variable prefix: cookie (default)
 Variable prefix: cookie (default)

    https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/10-0/security-configuration-in-policy-manager/tasks-menu-security-options/manage-ca-single-sign-on-configurations/working-with-ca-single-sign-on/JSON-Web-Token-Authentication-for-CA-SSO-Authentication/signed-jwt-authentication-using-ca-single-sign-on-assertions.html

(4)

    JWT Payload with kid Claim Authentication using CA Single Sign-On
    Assertions

      Add the Require HTTP Cookie Assertion and configure it as follows:

 Cookie name: SMSESSION
 Variable prefix: cookie (default)

    https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/10-0/security-configuration-in-policy-manager/tasks-menu-security-options/manage-ca-single-sign-on-configurations/working-with-ca-single-sign-on/JSON-Web-Token-Authentication-for-CA-SSO-Authentication/jwt-payload-with-kid-claim-authentication-using-ca-single-sign-on-assertions.html

(5)

    Signed JWT Authentication Using CA Single Sign-On Assertions

      The steps below provide an overview of how to use the CA Single
      Sign-On assertions to perform a request containing signed JWT.

    https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/10-0/security-configuration-in-policy-manager/tasks-menu-security-options/manage-ca-single-sign-on-configurations/working-with-ca-single-sign-on/JSON-Web-Token-Authentication-for-CA-SSO-Authentication/signed-jwt-authentication-using-ca-single-sign-on-assertions.html