We have Web services based authentication & authorization running in CA Access Gateway. I am exploring the possible ways to use API Gateway to provide the same functionality. For an example, CA Access Gateway supports login,blogin,authz,logoff calls for REST based authentications. Noticed that there is a service restman already running and service the REST based operations which we use it for migration activity.
Could you help me how can I use Siteminder login so that the application can post the credentials to API G/W which checks Siteminder for validation and return the headers.
For username+password you can send them in via Require HTTP Basic or via a POST parameter username+password extracted via XPath. For certificates, I've only used it getting the creds via the "Require TLS client cert auth" for direct connections, it follows similar basic logic to below but X509 as the authenticate and maps to an X509 protected auth scheme in SiteMinder; that way it uses that cred instead of expecting a password; but I imagine you could get a cert via a parameter in order to pass through too.
Can't upload a full policy, but here's a password example logic that might help get started if nobody else has a full policy they can just upload.
Of course you'd want to adjust that to your setup and however you want to make appropriate variables, other security checks (IP whitelist, rate limiting, etc), authentication to the service itself, and anything else ya might need.
Thank you for the details notes. I am new to CA API G/W world and just started getting my hands dirty. I will try this and post my update. Could you share any reference document where I can go-through the list of assertion used frequently and kind of manual for each assertion.
Docops has pretty good list and explanation of each one. Sometimes it's not always clear when you want to leverage certain things. I'm still pretty new to the GW too, so still figuring a lot of things out .
But here's some stuff I found useful when setting up the CA SSO token services -
--- Doing Math operations ---
Math Expression Assertion
Mathematical functions within Policy
How can I create a simple arithmetic operation (a b, for example)?
Within the context of CA SSO, if you want remaining time on a session you can use XPath to calculate time remaining on an SSO token to return to an app. From what I've found the API GW doesn't support the standard web agent headers regarding time left. So you get the max time, last time, and idle time only; then have to calculate the time remaining yourself based on server time (if it's already expired and you're on the latest version it should just fail but if you want to know how much time is left on an active session, need to do this).
End up with something like: $maxSessionTime - ($gateway.time.seconds - $startSessionTime)
--- XPath credentials via context variables ---
Custom HTTP Authorization Header
--- CA SSO variables ---
CA Single Sign-On Context Variables - CA API Gateway - 9.2 - CA Technologies Documentation
Just have to remember if you only do the authenticate call you may not get all variables. Some only get sent with an authorize call. That's a standard CA SSO thing.