Layer7 API Management

  • Private Community
Back to Library

CA API gateway uses SAML with onelogin.com 

Jun 25, 2015 12:57 PM

The CA API Gateway can be configured to act as Service provider (SP), Identity Provider (IdP) or both. In this sample the Gateway is used as SP and the IdaaS platform onelogin.com is used as IdP. The communication is configured to use SAML 2.0. The sample are developed by Ben_Urbanski I think, see attached XML files.

 

 

First of all I set up the to service for SP and Idp in the gateway to work as designed.


  1. Create a "Publish Web API" as SP with custom resolution path as "/saml2/websso/serviceprovider"
  2. Import the policy SAML SSO ServiceProvider.xml into the above service.
  3. Create a "Publish Web API" as IdP with custom resolution path as "/saml2/websso/identityprovider"
  4. Import the policy SAML SSO IdentityProvider.xml into the above service.
  5. Check it is working with the URL "http://explore.apim.ca:8080//saml2/websso/serviceprovider" in your browser
  6. You should be redirected to a login page on the gateway.


To move the example to onelogin, you have to setup onelogin first.


For the test I received a onelogin domain with the name "catest.onelogin.com" The admin user which is used to

administer the domain is "steffen.miller@ca.com".


1. Create a new user e.g. "steffen@catest.com" in the tab "Users". It is important to create the user with the right domain, here "catest.com"

users_all.jpg

2. Check the user is added to the "default" role. If there is not default role, create one adn add the user to it.

3. Add a new app of type "OneLogin SAML Test (IdP w/ attr)"

create_app_0_config.jpg

4.Insert ServiceProvider (SP) information

create_app_1.jpg

5.      In the SSO tab you can find the information needed for the SAML setup in the  SP.

create_app_4_ss0.jpg

6. In the access tab you have to add the "Default" role to allow all users in this role access to that app.

create_app_2.jpg

7. In the users app, check if your test user is shown

     create_app_3.jpg

8. Now we have to change the SP on the gateway to use onelogin as idp. Therefor open the SP in the Policy Manager

    and got to line 44 "Build SAML Protocol request" and open the wizard.


pm_overview.jpg


pm_1.jpg

9. Set the entries according to the following images

pm_2.jpg

pm_2.jpg

10. Insert the "SAML 2.0 Endpoint (HTTP)" from onelogin to the destination field

pm_3.jpg

11. Leave the fields 4 to 8 unchanged. And change the Recipient to "Issuer URL" from Onelogin

pm_9.jpg

12. In the SP change the following lines:

     34. deactivate

     35. set identityProviderURL to "https://catest.onelogin.com/trust/saml2/http-post/sso/457021" as in the Onelogin "SAML 2.0 Endpoint (HTTP)" field.

    

13. Test the setup with "http://explore.apim.ca:8080/saml2/websso/serviceprovider", you should be redirected to

login.jpg

14. With successful login, you should be redirected to

login_success.jpg

    


Statistics
1 Favorited
84 Views
2 Files
0 Shares
27 Downloads
Attachment(s)
Download All
zip file
SAML SSO IdentityProvider.xml.zip   3 KB   1 version
Uploaded - May 29, 2019
 
Download
zip file
SAML SSO ServiceProvider.xml.zip   3 KB   1 version
Uploaded - May 29, 2019
 
Download

Related Entries and Links

No Related Resource entered.