Layer7 API Management

Friends, I appreciate taking time to read the long post. I hope I made it clear so you can understand my requirement.

I have 2 web applications service.com and grow.com. At present. they both have their own security / access control with users being managed in their back end user repositories. The new requirement is to find SSO between these 2 applications. Usernames for both apps are same. They both support SAML 2.0 HTTP Post profile, so easiest option would be to use SiteMinder to be the IDP and both apps integrate with SiteMinder(hosted internally) in a federation partnership.

User logs into service.com , Service.com goes to SiteMinder IDP(idplogin.com ) for authentication , creates SMSESSION and the SAML token is created. User's brower has SMSESSION for SIteMinder IDP domain.
Within Service.com , user clicks on a link to grow.com , grow.com forwards user to SiteMinder IDP @ idplogin.com , idp loads SMSESSION and creates a saml token for grow.com.

Simple and straight forward use case, however we ran into few issues outside of technical teams so we are asked to search for alternatives. So, We have decided to see if API gateway can take the role of SiteMinder from the above use case. Now the proposed flow looks:

User logs into service.com , Service.com goes to API Gateway(apilogin.com ) for authentication , creates APIGatewaySESSION(is it possible) and the SAML token is created. User's brower has APIGatewaySESSION for API Gateway's IDP domain.
Within Service.com , user clicks on a link to grow.com , grow.com forwards user to API Gateway(apilogin.com ) , idp loads APIGatewaySESSION and creates a saml token for grow.com.

There is no IDP Initiated authentication, Only SP-Initiated.

As a Gateway newbee, APIM documentation is challenging , at the same time API Gateway SAML config is not as staright forward as SiteMinder is. Can anyone suggest the best way to implement my requirement?

Does gateway support browser artifact? or it only supports token profiles? With token profiles , how do I exchange Gateway information with SP and viceversa?

How do I create a cookie with API Gateway Session for service.com(so it consumed when grow.com is requested) along with saml token? Vice-versa is not needed.

Hello Sam,

So, you want the service (apilogin.com) to act as an idp? My initial short thought for your policy scenario would be:

• Does the saml protocol request comes for service.com or grow.com?
  • Service.com
    • Check if the session exists
      • Yes – return resource
      • NO
        • Call IDP service or insert logic here for:
          • Check for samlrequest and relaystate (urlpath+urlquery)
          • Authenticate
          • Create saml token (with sessionid, can be call to SM)
          • Build saml protocol response
          • Return back the samlresponse (with cookie=sessionid)
  • Grow.com
    • Check if the service.com session exists
      • yes
    • Check if the grow.com session exists
      • No
        • Check if samlrequest
        • Create saml token
        • Build saml protocol response ((with sessionid, can be call to SM)
        • Return back the saml response

This is very high level, and for sure steps missing, but maybe it will give you some initial ideas?

Regars,

Josef