Using API Gateway 9.3CR02 with OTK 3.6 and MAG 3.2
Policy/Encapsulated Assertion: OTK Require SSL (with Client Certificate)
We have developped en encap that deals on DMZ API Gateway with multi-factor authorization/authentication.
The underlying policy does check for client certificate as per xth authentication factor using "Require SSL/TLS with client Certificate".
If remote application is of "mobile" type, it also check for "MSSO Require Registered Device" and "OTK Require OAuth 2.0 Token".
Problem is that call to "MSSO..." in turn, call to "OTK Require SSL", which includes a "Require SSL/TLS with Client Certificate". This is where originates our problem.
This 2nd call to "Require SSL/TLS with client Certificate" will set "request.ssl.clientCertificate" to NULL but will indeed pass as if nothing was wrong.
Fix: check if "request.ssl.clientCertificate" is not already filled-in, case being we can skip "Require SSL or TLS" assertion
Is this correct behavior of "Require SSL or TLS" ?