When running CA Access Gateway (SPS) integrated with API Gateway :
1. How does user can authentication on CA API gateway through CA
Single Sign-On Assertions using JWT Authentication Scheme enabled
on Siteminder (1) ?
2. How the subsequent authorization works after user successfully
authenticated at Siteminder with JWT Authentication Scheme ? Is
Siteminder responsible for issuing JWT here which will be
exchanged in all communications ?
At first glance, initial user login should happen in an external
application. From this application, the browser sends the JWT token to
CA Access Gateway (SPS). CA Access Gateway (SPS) doesn't create the
JWT token. The same applies to CA API Gateway. The JWT token should be
created outside CA Access Gateway (SPS) and CA API Gateway. The JWT
token should be created by a specific API like accessing the following
page https://jwt.io/.
When using the JWT Authentication Scheme on Siteminder, a successful
authentication can produce a SMSESSION cookie which may be used to
access other Siteminder protected resource with other Authentication
Schemes.
More, when there's no SMSESSION cookie produced, on each request, the
JWT token should be sent in order for the Policy Server to be able to
authorize access to the resource as mentioned in the documentation
(2).
On CA API Gateway, if you want to implement JWT token with Siteminder,
you should enable the SMSESSION cookie to be produced. If not, then
there's no reason to use CA Single Sign-On assertion to protect the
resource on CA API Gateway (3)(4).
In the configuration of the JWT Authentication Scheme, Siteminder only
consumes the JWT token. It doesn't create it. JWT token isn't basic
authentication neither.
As per API Gateway documentation, the generated JWT Token can be
passed to the CA SSO using an assertion (5).
(1)
JSON Web Token (JWT) Authentication Scheme (Release 12.8.03 and Later)
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/policy-server-configuration/authentication-schemes/json-web-token-jwt-authentication-scheme.html
(2)
JSON Web Token (JWT) Authentication Scheme (Release 12.8.03 and Later)
When there is no SMSESSION generated, user must resend JWTs for
authentication to access the same resource or another protected
resource.
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/policy-server-configuration/authentication-schemes/json-web-token-jwt-authentication-scheme.html
(3)
Signed JWT Authentication Using CA Single Sign-On Assertions
Add the Require HTTP Cookie Assertion and configure it as follows:
Cookie name: SMSESSION Variable prefix: cookie (default)
Variable prefix: cookie (default)
https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/10-0/security-configuration-in-policy-manager/tasks-menu-security-options/manage-ca-single-sign-on-configurations/working-with-ca-single-sign-on/JSON-Web-Token-Authentication-for-CA-SSO-Authentication/signed-jwt-authentication-using-ca-single-sign-on-assertions.html
(4)
JWT Payload with kid Claim Authentication using CA Single Sign-On
Assertions
Add the Require HTTP Cookie Assertion and configure it as follows:
Cookie name: SMSESSION
Variable prefix: cookie (default)
https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/10-0/security-configuration-in-policy-manager/tasks-menu-security-options/manage-ca-single-sign-on-configurations/working-with-ca-single-sign-on/JSON-Web-Token-Authentication-for-CA-SSO-Authentication/jwt-payload-with-kid-claim-authentication-using-ca-single-sign-on-assertions.html
(5)
Signed JWT Authentication Using CA Single Sign-On Assertions
The steps below provide an overview of how to use the CA Single
Sign-On assertions to perform a request containing signed JWT.
https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/10-0/security-configuration-in-policy-manager/tasks-menu-security-options/manage-ca-single-sign-on-configurations/working-with-ca-single-sign-on/JSON-Web-Token-Authentication-for-CA-SSO-Authentication/signed-jwt-authentication-using-ca-single-sign-on-assertions.html