Hi All,
We have Web services based authentication & authorization running in CA Access Gateway. I am exploring the possible ways to use API Gateway to provide the same functionality. For an example, CA Access Gateway supports login,blogin,authz,logoff calls for REST based authentications. Noticed that there is a service restman already running and service the REST based operations which we use it for migration activity.
Could you help me how can I use Siteminder login so that the application can post the credentials to API G/W which checks Siteminder for validation and return the headers.
For username+password you can send them in via Require HTTP Basic or via a POST parameter username+password extracted via XPath. For certificates, I've only used it getting the creds via the "Require TLS client cert auth" for direct connections, it follows similar basic logic to below but X509 as the authenticate and maps to an X509 protected auth scheme in SiteMinder; that way it uses that cred instead of expecting a password; but I imagine you could get a cert via a parameter in order to pass through too.
Can't upload a full policy, but here's a password example logic that might help get started if nobody else has a full policy they can just upload.
Password
{
"ssotoken" : "${siteminder.smcontext.ssotoken",
"ssozone" : "${siteminder.smcontext.attributes.ATTR_SSOZONE}",
"maxtime" : "${siteminder.smcontext.attributes.ATTR_MAXSESSIONTIMEOUT}",
"userdn" : "${siteminder.smcontext.attributes.MYAPP_USERDN}", <-- this would be header setup as a response header in SM
"upn" : "${siteminder.smcontext.attributes.MYAPP_UPN}" <-- this would be header setup as a response header in SM
}
Of course you'd want to adjust that to your setup and however you want to make appropriate variables, other security checks (IP whitelist, rate limiting, etc), authentication to the service itself, and anything else ya might need.