Layer7 API Management

Expand all | Collapse all

CA API Gateway external MFA implementation

Jump to Best Answer
  • 1.  CA API Gateway external MFA implementation

    Posted 03-12-2019 03:00 PM

    Hello, I am new to CA API Gateway and would like to know if it is possible to implement my own MFA Authentication plugin to leverage any authentication service I want like Duo or RSA Adaptive Authentication. If it is possible, is there integration documentation for developers?

     

    We currently have integration for CA SiteMinder via Radius with RSA Adaptive Authentication. That one is pretty straight forward. I'm trying to achieve the same with API Gateway.



  • 2.  Re: CA API Gateway external MFA implementation
    Best Answer

    Posted 03-12-2019 06:39 PM

    Dear rgonzalez22 ,

    General speaking, yes, as soon as the external system provides APIs to do the jobs.

    For example, facebook/google provide the oauth endpoints for oauth authorization, the gateway can integrate with those external authorization systems by calling their APIs.

    You would need to implement policies on gateway, not installing a plugin, to assess the external APIs.

     

    Gateway provides different assertions to access the downstream systems,

    Message Routing Assertions - CA API Gateway - 9.4 - CA Technologies Documentation 

     

    It seems RSA Adaptive Authentication provides soap APIs,  you can call those soap APIs via Route via HTTP(S) Assertion - CA API Gateway - 9.4 - CA Technologies Documentation

     

    You might contact the gateway sales/pre-sales to discuss a complete solution for your use case.

     

    Regards,

    Mark



  • 3.  Re: CA API Gateway external MFA implementation

    Posted 03-13-2019 01:52 PM

    Zhijun,

           Thank you for your technical input. I will follow your references and approach the integration in that manner. I will report back in here if it was successful or not.



  • 4.  Re: CA API Gateway external MFA implementation

    Posted 04-26-2019 05:57 PM

    Mark,

     

            If I use Route via HTTP(s) assertion, do you think I can accomplish the following:

     

    I have already a webapp that performs the actual MFA authentication. I just need to integrate it with CA API Gateway. I need to redirect to my webapp from Gateway to perform authentication and return to Gateway with result.

     

    User Flow:

    User request protected resource --> CA API Gateway --> Username/Password(optional) --> Redirect to user to MFA(webapp that performs MFA Authentication with AAOP)webapp --> CA API Gateway (check authentication result) --> user sent to resource if pass, user sent to login if failed with a message

     

    Also, could the CA API Management OAuth Toolkit make it easier to integrate?

     

    https://docops.ca.com/ca-api-management-oauth-toolkit/4-3/en

     

    Thanks in advance.



  • 5.  Re: CA API Gateway external MFA implementation

    Posted 04-28-2019 08:22 PM

    There are different options, depends on  your env,

    1. gateway provides login window, and pass the credential to webapp

    webapp needs to provide API to accept credential and return the result.

     

    2. gateway redirect to webapp page, webapp shows login window and redirect back to gateway after authentication

    usually, the gateway needs to be registered on webapp, otherwise the webapp will not know how to redirect back to gateway.

    for example, using ADFS for login, you need to register gateway as a relying party and set the call back url.

    I have an document on this, Integrate ADFS login form for authentication 

     

    3. customize OTK to use external login server.

    https://communities.ca.com/blogs/oauth/2016/10/04/howto-integrating-otk-with-external-login-server

     

    option 1 is the simplest, option 2 needs correct implementation/configuration on both gateway and authentication server, option 3 is possible but not recommended, you need deep knowledge on oauth flow, and how the otk implement.