Layer7 API Management

  • 1.  MAG + OTK Implementation with multiple IDPs

    Posted Jan 07, 2019 08:38 PM

    Hi all,

     

    A customer is implementing MAG 4.1 + OTK 4.2 + Gtw 9.3 with two nodes (in cluster) and API Portal 4.2.x.

     

    They have different business units, where each one must have one or more mobile applications using MAG and each business unit has its own authentication repository (LDAP or database).

     

    How can they achieve this goal? What is the best practice in this case?

     

    1 - Custom grant types for each business unit?
    2 - Creating different Instance Modifiers for OTK and MAG for each BU?
    3 - Any other suggestions?

     

     

    Thanks for your help.

    -Darcio



  • 2.  Re: MAG + OTK Implementation with multiple IDPs

    Broadcom Employee
    Posted Jan 09, 2019 08:35 AM

    Hi Darcio,

     

    Assuming the business units are both reporting under the same GW/MAG/OTK installation I would think the instance modifier would be the preferred solution to authenticate against different IDP's.

     

    Regards,

    Joe   



  • 3.  Re: MAG + OTK Implementation with multiple IDPs

    Posted Jan 09, 2019 02:36 PM

    Hi Joe,

     

    Thanks for you reply.

     

    Yes, the business units are reporting under the same GW/MAG/OTK installation. I agree with you, the instance modifier would be the preferred solution.

     

    Customer is trying to use a "provider_hint" parameter in the http header and/or http parameter to get this information in the policy OTK User Authentication Extension to select the correct IDP.

     

    They created a class called MASAuthCredentialsPasswordCustom that implements MASAuthCredentials including the "provider_hint" in the header and parameter (query string) and MAG send these parameters to the gateway.

     

     

    Regards.

    Darcio



  • 4.  Re: MAG + OTK Implementation with multiple IDPs

    Posted Jan 10, 2019 03:19 PM

    An issue with this approach is dev portal 4.2.x.  Since it works only with the default otk instance, any app created on portal will exist only in the default otk. Also, the services will have to check the token with the correct instance assertion.



  • 5.  Re: MAG + OTK Implementation with multiple IDPs
    Best Answer

    Posted Jan 10, 2019 04:51 PM

    Hi Leandro,

     

    The portal integration could be a problem. Customer is testing the option with the hint to select the correct IDP. With this approach they will need just one installation of OTK and MAG.

     

    Thanks for your reply.

     

    Regards,

    Darcio