Using Gateway as SSO IDP for Portal 4.2 Login

Blog Post created by Ronald_Dsouza_Sanlam on Jul 5, 2018


Portal Support Multiple SSO Logins from version on wards. The  requirement was to ensure that user could login to multiple business units with minimum with the SSO hosted on CA API gateway <version testing 9.2 onwards>



Create a policy on API gateway called gtenants*

and add compare condition for  gtenants.json 

and gtenants.js to display the page as per the sample attached


gtenants.json file to load all business unit

gtenants.js file to load the drop down 


Sample File attached


Create  a Web API (tenant/portal/)



On creation Import the policy


Handle Gateway Error (Encapsulation)

Search In Array (Encapsulation)


Changes to be made in SAML_Portal

1. Update context variable

2.Update Customization for URL Match

This match is to protect site from and customize the login page as per the Incoming URL

e.g. : - will have a particular branding will have a particular branding

Based on the branding Update the following context variables


You can customize the template as per your requirement in the next section 

Validation as per your SAML request from Portal


SAML Form (action default and submit)


Customized your request validation over here


I have created a separate login for Allowing validation that give me a response as per jsonOutput

Process for extracting parameter for JSON




This is the important section: Map your User Login with the response from groups

I have mapped 

System administrator -- > Trimmed It and added it to the group variable (Systemadministrator)

-- You can skip this step and directly map the user to the group in the tenant

NOTE: The following process will fail if there is multiple groups returned in the SAMLResponse to the portal so ensure

That there is only 1 to 1 mapping in your group attribute for saml response for a user in an organization

Hence the translation.


This is most privileged permission method in case a User belong to more than 1 group 




Update your SAML response certifcate


This certificate should match the one in the portal imported

Save your Policy



On the PORTAL:

1. Create a new authentication scheme

2. Select provider SSO

3. Update the Issue ID

4. Do the same for Service Provider ID

Note: you can force a service provider validation by using compare option to validate the IDs from a comma separated ID provided (use search in array ) option. This is the restrict service provider validation on the gateway 



Finally map the attibutes from the SAML response. 

Changing this parameter requires updating the Create SAML token attribute



A working test :

Redirected to Gateway Login Page


Logged in to an Organization with userid


Test Complete