Layer7 API Management

Hello, I am new to CA API Gateway and would like to know if it is possible to implement my own MFA Authentication plugin to leverage any authentication service I want like Duo or RSA Adaptive Authentication. If it is possible, is there integration documentation for developers?

We currently have integration for CA SiteMinder via Radius with RSA Adaptive Authentication. That one is pretty straight forward. I'm trying to achieve the same with API Gateway.

Dear rgonzalez22 ,

General speaking, yes, as soon as the external system provides APIs to do the jobs.

For example, facebook/google provide the oauth endpoints for oauth authorization, the gateway can integrate with those external authorization systems by calling their APIs.

You would need to implement policies on gateway, not installing a plugin, to assess the external APIs.

Gateway provides different assertions to access the downstream systems,

Message Routing Assertions - CA API Gateway - 9.4 - CA Technologies Documentation 

It seems RSA Adaptive Authentication provides soap APIs,  you can call those soap APIs via Route via HTTP(S) Assertion - CA API Gateway - 9.4 - CA Technologies Documentation

You might contact the gateway sales/pre-sales to discuss a complete solution for your use case.

Regards,

Mark

Zhijun,

       Thank you for your technical input. I will follow your references and approach the integration in that manner. I will report back in here if it was successful or not.

Mark,

        If I use Route via HTTP(s) assertion, do you think I can accomplish the following:

I have already a webapp that performs the actual MFA authentication. I just need to integrate it with CA API Gateway. I need to redirect to my webapp from Gateway to perform authentication and return to Gateway with result.

User Flow:

User request protected resource --> CA API Gateway --> Username/Password(optional) --> Redirect to user to MFA(webapp that performs MFA Authentication with AAOP)webapp --> CA API Gateway (check authentication result) --> user sent to resource if pass, user sent to login if failed with a message

Also, could the CA API Management OAuth Toolkit make it easier to integrate?

https://docops.ca.com/ca-api-management-oauth-toolkit/4-3/en

Thanks in advance.

There are different options, depends on  your env,

1. gateway provides login window, and pass the credential to webapp

webapp needs to provide API to accept credential and return the result.

2. gateway redirect to webapp page, webapp shows login window and redirect back to gateway after authentication

usually, the gateway needs to be registered on webapp, otherwise the webapp will not know how to redirect back to gateway.

for example, using ADFS for login, you need to register gateway as a relying party and set the call back url.

I have an document on this, Integrate ADFS login form for authentication 

3. customize OTK to use external login server.

https://communities.ca.com/blogs/oauth/2016/10/04/howto-integrating-otk-with-external-login-server

option 1 is the simplest, option 2 needs correct implementation/configuration on both gateway and authentication server, option 3 is possible but not recommended, you need deep knowledge on oauth flow, and how the otk implement.