Layer7 API Management

Hi all,
we are implementing OAuth2.0 with API Gateway. In our scenario API Gateway will act as

• Authorization Server
• Resource Server because it will expose protected API

A 3rd party external application could invoke and consume protected API acting as OAuth2.0 Client.

During authorization consent the Resoruce Owenr (the user) must be authenticated from the Authorization Server. How the authentication process occurs is not in scope of OAuth2.0 specification.
By defautl API Gateway can authenticate Resource Owners with username and password; futhermore API Gateway can delegate the authentication to SiteMinder.

In this case SiteMinder will validate the username and password provided by the Resource Owner against the user directory configured.

Our question is: can the user be authenticated using other mechnisms (i.e. NTML)? If yes can anyone provide any hint (or samples) in order to properly configure API Gateway policies?

Thnaks in advance,
Daniele

Hi Daniele,

Currently we support the below authentication mechanisms.

Using the Custom Identity Provider you can configure NTLM, Step 5: NTLM Configuration

• Authenticate against a Custom Identity Provider
• Authenticate against CA SiteMinder 

hth,

Hi,

first of all thanks for your reply.

Reading the documentation you provided about NTLM, I understood that in this scenario, the NTML authentication would be performed by API Gateway.

In case we would leverage SiteMinder also for OAuth 2.0 authentication process, is the following high-level approach feasible in your opinion?

1. when needed the OAuth Client redirect the user to authenticate. The user will be redirected to the "/auth/oauth/v2/authorize" endpoint but it will be protected by SiteMinder.

2. SiteMinder will authenticate the user and will generate SMSESSION cookie.

3. The /auth/oauth/v2/authorize endpoint will leverage SMSESSION cookie to consider the user authenticated 

Does anyone have any suggestion about?

Thanks,

Daniele