Layer7 API Management

Hi,

We implemented a policy backed identity provider that uses a policy fragment with a bunch of authentication logic, such as updating number of failed login attempts.

The backing policy is not executed at every request if the call to Authenticate Against Identity Provider assertion is done within a short period of time (~ 30 seconds).

There seems to be some caching of the authentication result going on, that causes the Identity Provider to return without executing the backing policy.

I can't see that in any settings or documentation.

Can anybody confirm this and advice how to make it execute the policy for every request?

(We could course could skip the use of an IP, but it would be nice to have)

BR,

Tony

Hi BR,

Neither the public documentation (Policy-Backed Identity Providers - CA API Gateway - 8.4 - CA Technologies Documentation) nor the internal functional specification for this feature (which I just read) mention caching.

However, it's possible that the caching logic that governs the other provider types has been inherited by the PB-IDP.  There are a number of cluster-wide properties that govern credential caching: Credential Caching Cluster Properties - CA API Gateway - 8.4 - CA Technologies Documentation .  I suggest you check out the 'authCache.*' set of properties and the 'authCache.maxFailureTime' property specifically.  Coincidentally the default value for this is 30 seconds. 

You might try setting this to a different value to see if this affects what you're seeing with your PB-IDP behaviour.

Cheers,

Julian

Thanks Julian!

The authCache cluster wide properties for sure affects the behavior of PB-IDP as well.

Setting authCache.failureCacheSize and authCache.successCacheSize to 0 disables the caching and executes the backing policy for each request.

BR,

Tony