AnsweredAssumed Answered

SAML With API Gateway

Question asked by SamWalker on Aug 15, 2017
Latest reply on Aug 16, 2017 by glejo03

Friends, I appreciate taking time to read the long post. I hope I made it clear so you can understand my requirement.


I have 2 web applications service.com and grow.com. At present. they both have their own security / access control with users being managed in their back end user repositories. The new requirement is to find SSO between these 2 applications. Usernames for both apps are same. They both support SAML 2.0 HTTP Post profile, so easiest option would be to use SiteMinder to be the IDP and both apps integrate with SiteMinder(hosted internally) in a federation partnership.

User logs into service.com , Service.com goes to SiteMinder IDP(idplogin.com ) for authentication , creates SMSESSION and the SAML token is created. User's brower has SMSESSION for SIteMinder IDP domain.
Within Service.com , user clicks on a link to grow.com , grow.com forwards user to SiteMinder IDP @ idplogin.com , idp loads SMSESSION and creates a saml token for grow.com.

Simple and straight forward use case, however we ran into few issues outside of technical teams so we are asked to search for alternatives. So, We have decided to see if API gateway can take the role of SiteMinder from the above use case. Now the proposed flow looks:

User logs into service.com , Service.com goes to API Gateway(apilogin.com ) for authentication , creates APIGatewaySESSION(is it possible) and the SAML token is created. User's brower has APIGatewaySESSION for API Gateway's IDP domain.
Within Service.com , user clicks on a link to grow.com , grow.com forwards user to API Gateway(apilogin.com ) , idp loads APIGatewaySESSION and creates a saml token for grow.com.

There is no IDP Initiated authentication, Only SP-Initiated.

As a Gateway newbee, APIM documentation is challenging , at the same time API Gateway SAML config is not as staright forward as SiteMinder is. Can anyone suggest the best way to implement my requirement?

Does gateway support browser artifact? or it only supports token profiles? With token profiles , how do I exchange Gateway information with SP and viceversa?

How do I create a cookie with API Gateway Session for service.com(so it consumed when grow.com is requested) along with saml token? Vice-versa is not needed.

Outcomes