dsoro02

Using Gateway as SSO IDP for Portal 4.2 Login

Blog Post created by dsoro02 Employee on Jul 5, 2018

Task:

Portal Support Multiple SSO Logins from version  4.2.5.1 on wards. The  requirement was to ensure that user could login to multiple business units with minimum with the SSO hosted on CA API gateway <version testing 9.2 onwards>

 

Requirements

Create a policy on API gateway called gtenants*

and add compare condition for  gtenants.json 

and gtenants.js to display the page as per the sample attached

 

gtenants.json file to load all business unit

gtenants.js file to load the drop down 

 

Sample File attached

 

Create  a Web API (tenant/portal/)

 

 

On creation Import the policy

SAML_Portal

Handle Gateway Error (Encapsulation)

Search In Array (Encapsulation)

 

Changes to be made in SAML_Portal

1. Update context variable

2.Update Customization for URL Match

This match is to protect site from and customize the login page as per the Incoming URL

e.g. : - 

domain.partner1.com will have a particular branding

domain.partner2.com will have a particular branding

Based on the branding Update the following context variables


 

You can customize the template as per your requirement in the next section 

Validation as per your SAML request from Portal

 

SAML Form (action default and submit)

 

Customized your request validation over here

 

I have created a separate login for Allowing validation that give me a response as per jsonOutput

Process for extracting parameter for JSON

 

 

 

This is the important section: Map your User Login with the response from groups

I have mapped 

System administrator -- > Trimmed It and added it to the group variable (Systemadministrator)

-- You can skip this step and directly map the user to the group in the tenant

NOTE: The following process will fail if there is multiple groups returned in the SAMLResponse to the portal so ensure

That there is only 1 to 1 mapping in your group attribute for saml response for a user in an organization

Hence the translation.

 

This is most privileged permission method in case a User belong to more than 1 group 

 

 

 

Update your SAML response certifcate

 

This certificate should match the one in the portal imported

Save your Policy

 

 

On the PORTAL:

1. Create a new authentication scheme

2. Select provider SSO

3. Update the Issue ID

4. Do the same for Service Provider ID

Note: you can force a service provider validation by using compare option to validate the IDs from a comma separated ID provided (use search in array ) option. This is the restrict service provider validation on the gateway 

 

 

Finally map the attibutes from the SAML response. 

Changing this parameter requires updating the Create SAML token attribute

 

 

A working test :

Redirected to Gateway Login Page

 

Logged in to an Organization with userid

 

Test Complete  

Outcomes