AnsweredAssumed Answered

How to expose REST services to support Siteminder authentication & authorization ?

Question asked by techsarwan on Jan 10, 2018
Latest reply on Jan 11, 2018 by CBertagnolli

Like • Show 0 Likes0
Comment • 3

Hi All,

We have Web services based authentication & authorization running in CA Access Gateway. I am exploring the possible ways to use API Gateway to provide the same functionality. For an example, CA Access Gateway supports login,blogin,authz,logoff calls for REST based authentications. Noticed that there is a service restman already running and service the REST based operations which we use it for migration activity.

Could you help me how can I use Siteminder login so that the application can post the credentials to API G/W which checks Siteminder for validation and return the headers.

CBertagnolli

Jan 10, 2018 6:21 PM

Correct Answer

For username+password you can send them in via Require HTTP Basic or via a POST parameter username+password extracted via XPath. For certificates, I've only used it getting the creds via the "Require TLS client cert auth" for direct connections, it follows similar basic logic to below but X509 as the authenticate and maps to an X509 protected auth scheme in SiteMinder; that way it uses that cred instead of expecting a password; but I imagine you could get a cert via a parameter in order to pass through too.

Can't upload a full policy, but here's a password example logic that might help get started if nobody else has a full policy they can just upload.

Password

**Pre-req: Agent (e.g., MyAgent) and application object setup in SiteMinder that enforces password log in on the component (e.g., /password)
Require TLS with client cert auth
- At minimum you need to require TLS, but up to you if you'd need client cert auth to use the service or not.
Authorize client cert making the call
- To ensure not just any person can POST user creds to the endpoint.
Validate form POST for your security reqs (invalid chars, expected params only, etc)
Set variable ssozone As String to appzone (from SiteMinder whatever you need your SSO Zone to be if you're not using default SM)
Set variable for agentname as String to MyAgent (set this to the agent mapped to the password component)
Set variable for resource as String (set this to the resource protected by component /password)
Set variable for username submitted As String to ${request.http.parameter.username}
Set variable for password submitted As String ${request.http.parameter.password}
Set variable for xpathform As Message to <form/>
${xpathform}: Require XPath Credential: login = $username, password = $password
- Right click, choose "SelectTarget Message" and update to Other Context Variable and set to xpathform
Request: Check Protected Resource Against CA SSO
- Agent = agentname
- Protected Resource = resource
- Action = POST
${xpathform}: Authenticate Against CA SSO
- Right click, choose "SelectTarget Message" and update to Other Context Variable and set to xpathform
- Properties:
  - Use Last Credentials
  - Supported Credential Types: Username Password
  - SSO Token: Create SSO Token and SSO Zone Name = ${ssozone}
Request Authorize via CA SSO
- Properties: User SSO Token from CA Single Sign-On context
Return Template Response to Requestor
- Put your response here. Can use a variable or whatever. So like if I built a JSON response in some fashion would go here with Response Content type = application/json and Response Body = JSON Response variable or manually inputed
  - E.g.,
    {
    "ssotoken" : "${siteminder.smcontext.ssotoken",
    "ssozone" : "${siteminder.smcontext.attributes.ATTR_SSOZONE}",
    "maxtime" : "${siteminder.smcontext.attributes.ATTR_MAXSESSIONTIMEOUT}",
    "userdn" : "${siteminder.smcontext.attributes.MYAPP_USERDN}", <-- this would be header setup as a response header in SM
    "upn" : "${siteminder.smcontext.attributes.MYAPP_UPN}" <-- this would be header setup as a response header in SM
    }

Of course you'd want to adjust that to your setup and however you want to make appropriate variables, other security checks (IP whitelist, rate limiting, etc), authentication to the service itself, and anything else ya might need.

See the reply in context

No one else had this question

Outcomes

CBertagnolli

Jan 10, 2018 6:21 PM

Can't upload a full policy, but here's a password example logic that might help get started if nobody else has a full policy they can just upload.

Password

**Pre-req: Agent (e.g., MyAgent) and application object setup in SiteMinder that enforces password log in on the component (e.g., /password)
Require TLS with client cert auth
- At minimum you need to require TLS, but up to you if you'd need client cert auth to use the service or not.
Authorize client cert making the call
- To ensure not just any person can POST user creds to the endpoint.
Validate form POST for your security reqs (invalid chars, expected params only, etc)
Set variable ssozone As String to appzone (from SiteMinder whatever you need your SSO Zone to be if you're not using default SM)
Set variable for agentname as String to MyAgent (set this to the agent mapped to the password component)
Set variable for resource as String (set this to the resource protected by component /password)
Set variable for username submitted As String to ${request.http.parameter.username}
Set variable for password submitted As String ${request.http.parameter.password}
Set variable for xpathform As Message to <form/>
${xpathform}: Require XPath Credential: login = $username, password = $password
- Right click, choose "SelectTarget Message" and update to Other Context Variable and set to xpathform
Request: Check Protected Resource Against CA SSO
- Agent = agentname
- Protected Resource = resource
- Action = POST
${xpathform}: Authenticate Against CA SSO
- Right click, choose "SelectTarget Message" and update to Other Context Variable and set to xpathform
- Properties:
  - Use Last Credentials
  - Supported Credential Types: Username Password
  - SSO Token: Create SSO Token and SSO Zone Name = ${ssozone}
Request Authorize via CA SSO
- Properties: User SSO Token from CA Single Sign-On context
Return Template Response to Requestor
- Put your response here. Can use a variable or whatever. So like if I built a JSON response in some fashion would go here with Response Content type = application/json and Response Body = JSON Response variable or manually inputed
  - E.g.,
    {
    "ssotoken" : "${siteminder.smcontext.ssotoken",
    "ssozone" : "${siteminder.smcontext.attributes.ATTR_SSOZONE}",
    "maxtime" : "${siteminder.smcontext.attributes.ATTR_MAXSESSIONTIMEOUT}",
    "userdn" : "${siteminder.smcontext.attributes.MYAPP_USERDN}", <-- this would be header setup as a response header in SM
    "upn" : "${siteminder.smcontext.attributes.MYAPP_UPN}" <-- this would be header setup as a response header in SM
    }

1 person found this helpful

Actions

techsarwan @ CBertagnolli on Jan 11, 2018 8:30 AM

Thank you for the details notes. I am new to CA API G/W world and just started getting my hands dirty. I will try this and post my update. Could you share any reference document where I can go-through the list of assertion used frequently and kind of manual for each assertion.

Actions

CBertagnolli

@ techsarwan on Jan 11, 2018 3:54 PM

Docops has pretty good list and explanation of each one. Sometimes it's not always clear when you want to leverage certain things. I'm still pretty new to the GW too, so still figuring a lot of things out .

But here's some stuff I found useful when setting up the CA SSO token services -

--- Doing Math operations ---

Math Expression Assertion

Mathematical functions within Policy

How can I create a simple arithmetic operation (a b, for example)?

Within the context of CA SSO, if you want remaining time on a session you can use XPath to calculate time remaining on an SSO token to return to an app. From what I've found the API GW doesn't support the standard web agent headers regarding time left. So you get the max time, last time, and idle time only; then have to calculate the time remaining yourself based on server time (if it's already expired and you're on the latest version it should just fail but if you want to know how much time is left on an active session, need to do this).

End up with something like: $maxSessionTime - ($gateway.time.seconds - $startSessionTime)

--- XPath credentials via context variables ---

Custom HTTP Authorization Header

--- CA SSO variables ---

CA Single Sign-On Context Variables - CA API Gateway - 9.2 - CA Technologies Documentation

Just have to remember if you only do the authenticate call you may not get all variables. Some only get sent with an authorize call. That's a standard CA SSO thing.

Actions

3 Replies

CBertagnolli Jan 10, 2018 6:21 PM
Unmark Correct
Correct Answer
For username+password you can send them in via Require HTTP Basic or via a POST parameter username+password extracted via XPath. For certificates, I've only used it getting the creds via the "Require TLS client cert auth" for direct connections, it follows similar basic logic to below but X509 as the authenticate and maps to an X509 protected auth scheme in SiteMinder; that way it uses that cred instead of expecting a password; but I imagine you could get a cert via a parameter in order to pass through too.

Can't upload a full policy, but here's a password example logic that might help get started if nobody else has a full policy they can just upload.

Password
- **Pre-req: Agent (e.g., MyAgent) and application object setup in SiteMinder that enforces password log in on the component (e.g., /password)
- Require TLS with client cert auth
  At minimum you need to require TLS, but up to you if you'd need client cert auth to use the service or not.
- Authorize client cert making the call
  To ensure not just any person can POST user creds to the endpoint.
- Validate form POST for your security reqs (invalid chars, expected params only, etc)
- Set variable ssozone As String to appzone (from SiteMinder whatever you need your SSO Zone to be if you're not using default SM)
- Set variable for agentname as String to MyAgent (set this to the agent mapped to the password component)
- Set variable for resource as String (set this to the resource protected by component /password)
- Set variable for username submitted As String to ${request.http.parameter.username}
- Set variable for password submitted As String ${request.http.parameter.password}
- Set variable for xpathform As Message to <form/>
- ${xpathform}: Require XPath Credential: login = $username, password = $password
  Right click, choose "SelectTarget Message" and update to Other Context Variable and set to xpathform
- Request: Check Protected Resource Against CA SSO
  Agent = agentname
  Protected Resource = resource
  Action = POST
- ${xpathform}: Authenticate Against CA SSO
  Right click, choose "SelectTarget Message" and update to Other Context Variable and set to xpathform
  Properties:
  Use Last Credentials
  Supported Credential Types: Username Password
  SSO Token: Create SSO Token and SSO Zone Name = ${ssozone}
- Request Authorize via CA SSO
  Properties: User SSO Token from CA Single Sign-On context
- Return Template Response to Requestor
  Put your response here. Can use a variable or whatever. So like if I built a JSON response in some fashion would go here with Response Content type = application/json and Response Body = JSON Response variable or manually inputed
  E.g.,
  {
  "ssotoken" : "${siteminder.smcontext.ssotoken",
  "ssozone" : "${siteminder.smcontext.attributes.ATTR_SSOZONE}",
  "maxtime" : "${siteminder.smcontext.attributes.ATTR_MAXSESSIONTIMEOUT}",
  "userdn" : "${siteminder.smcontext.attributes.MYAPP_USERDN}", <-- this would be header setup as a response header in SM
  "upn" : "${siteminder.smcontext.attributes.MYAPP_UPN}" <-- this would be header setup as a response header in SM
  }
Of course you'd want to adjust that to your setup and however you want to make appropriate variables, other security checks (IP whitelist, rate limiting, etc), authentication to the service itself, and anything else ya might need.
1 person found this helpful
Like • Show 1 Like1
Actions
- techsarwan @ CBertagnolli on Jan 11, 2018 8:30 AM
  Mark Correct
  Correct Answer
  Thank you for the details notes. I am new to CA API G/W world and just started getting my hands dirty. I will try this and post my update. Could you share any reference document where I can go-through the list of assertion used frequently and kind of manual for each assertion.
  Like • Show 0 Likes0
  Actions
  - CBertagnolli @ techsarwan on Jan 11, 2018 3:54 PM
    Mark Correct
    Correct Answer
    Docops has pretty good list and explanation of each one. Sometimes it's not always clear when you want to leverage certain things. I'm still pretty new to the GW too, so still figuring a lot of things out .
    
    But here's some stuff I found useful when setting up the CA SSO token services -
    
    --- Doing Math operations ---
    Math Expression Assertion
    Mathematical functions within Policy
    How can I create a simple arithmetic operation (a b, for example)?
    
    Within the context of CA SSO, if you want remaining time on a session you can use XPath to calculate time remaining on an SSO token to return to an app. From what I've found the API GW doesn't support the standard web agent headers regarding time left. So you get the max time, last time, and idle time only; then have to calculate the time remaining yourself based on server time (if it's already expired and you're on the latest version it should just fail but if you want to know how much time is left on an active session, need to do this).
    
    End up with something like: $maxSessionTime - ($gateway.time.seconds - $startSessionTime)
    
    --- XPath credentials via context variables ---
    Custom HTTP Authorization Header
    
    --- CA SSO variables ---
    CA Single Sign-On Context Variables - CA API Gateway - 9.2 - CA Technologies Documentation
    
    Just have to remember if you only do the authenticate call you may not get all variables. Some only get sent with an authorize call. That's a standard CA SSO thing.
    Like • Show 0 Likes0
    Actions

How to expose REST services to support Siteminder authentication & authorization ?

Outcomes

Related Content

Recommended Content

Incoming Links