Madhusudhan Yoganath

Accelerate Federation Management Using REST APIs

Blog Post created by Madhusudhan Yoganath Employee on Jan 23, 2019

DevOps has become a widespread practice not just to continuously integrate software in a more automated way, but it has evolved towards more continuous delivery in production. REST APIs are key enablers of these workflows in DevOps by helping with the required automations to save cost and drive agility.

 

In 12.7, We introduced REST APIs for Policy Object administration which allows you to create, read, update, and delete objects including SAML 2.0 federation entities and partnerships, and certificate services in the policy store.

With the support of REST APIs provided in 12.7 onwards, it is possible to automate common administration tasks that are typically done using CA Single Sign-On Administrative UI interactively. You can script the entire operation, completely avoiding manual intervention and saving time.

For example, if you had to edit a partnership manually in the UI today, you would have to navigate to the required screen sequentially and then edit it. But the same with a REST API is very straightforward and simple. Basically, it accelerates the procedure and saves a lot of time.

 

The REST APIs and the REST API interactive reference documentation are available from any server hosting the CA Single Sign-On Administrative UI. The REST API interactive reference documentation provides an overview of the CA Single Sign-On REST APIs. For detailed information from which you can visualize and interact with the API resources, access the REST API interactive reference documentation in the following location:

 

https://<adminui_host>:8443/ca/api/sso/services/v1/api-doc/

 

You can also open the interactive reference documentation by clicking the REST APIs link at the bottom of the Administrative UI.

 

 

CA Single Sign-On provides the following REST APIs:

 

Administrative Token API (/ca/api/sso/services/login/v1/token)
This API needs to be used to retrieve a JWT token containing a session ticket.


Policy Data API (/ca/api/sso/services/policy/v1/...)
The Policy Data API allows you to create, read, update, and delete CA Single Sign-On objects in your policy store.
Each call to the Policy Data API requires a valid JWT Token obtained from the Administrative Token API as a Bearer

Token in the Authorization header.


Policy Migration API (/ca/api/sso/services/policy/v1/deployment/...)
The Policy Migration API allows you to export and import specified subsets of policy data in the policy store.

 

Highlighted below is the Policy Data API section for Federation Objects. Under this section, you will find all the APIs, you need to create, delete, update and manage SAML 2.0 federation partnerships. 

 

 

For instance, the below API lists operations for managing IDP partnership.

 

 

Further, clicking on each of these operations, will reveal the payloads and responses with an example. You can also execute the APIs here by clicking on “Try it out!”.

 

 

 

To reiterate, these Administrative REST APIs allow for tighter integration into existing DevOps processes in your enterprise and help in automation of common administrative operations.

 

For instance, you could use them in the following scenarios

 

Scenario 1: - Your enterprise may have internal federations, SaaS federations, 1 to 1 federation with partners. In all these cases, a great idea would be to create payloads which are “standard configurations” for each of these category of federation partnerships and save these payloads as templates.

The next time, you need to create a partnership, you could reuse these templates by changing only the minimum number of parameters and use the modified payloads via REST APIs to create new ones, thus saving a lot of time!

 

Scenario 2: - Migrating an SP/IDP partnership from a staging dev environment to production

These APIs also can be used when migrating an SP/IDP partnership from a staging dev environment into production, thus simplifying the migration process.  

 

Scenario 3: - Updating an existing partnership is also very easy with REST APIs.

For details on using all the APIs and payloads, refer to our technical publications or REST API interactive reference documentation.

 

Also, we will continue to expand these functionalities to cover OpenID Connect federations. I will update this post once the REST APIs for OpenID Connect makes it into validation builds. Stay tuned for more!

Outcomes