This blog helps you understand how JWT powers the Layer7 APIM-Layer7 SiteMinder integration. This blog does not emphasize the technical details of JWT or the configuration details of CA APIM and CA SSO.
Why do you care about managing access of transactions based on APIs and Web Flows?
With the goal of delivering a smooth single sign-on experience to multiple applications, organisations want to shield users from the potential complexities of multiple authentication and authorization servers.
As organizations continue to embrace Digital Transformation, they are deploying more and more access flows where users are interacting with web applications or mobile applications to execute transactions (retrieve information, order a good or service, etc.) and those applications in turn are using api’s to make calls to other sources, on behalf of the original user. Ideally organizations don’t want users challenged for authentication when the user’s transaction crosses boundaries between the standard web access and api access legs of a transaction. Additionally, organizations need user attributes and entitlements to seamlessly cross these same boundaries. The overall goal is enabling access to information needed with the simplest user experience, but at the same time ensuring the level of security that is critical. Comprehensive and granular authentication and authorization capabilities are necessary to achieve this end result.
In addition to the foundation of authentication and authorization, these types of flows also need to support session management both for the purpose of ensuring user experience is as simple as possible, but also for the purpose of achieving complete single log off when necessary (cookies invalidated, SAML assertions removed, OIDC tokens revoked, etc).
“Your ability to address these types of use cases will help your organization improve user experience”
Broadcom offers proven solutions for API Management and Access Management. Comprehensive API Management requires a lot more than just authentication and authorization capabilities. Developer tools, api transformation, injection protection and service level guarantees are critical. Broadcom’s offering meets these needs. To better enable this hybrid use case, the simple answer is integration of Layer7 API Management with Layer7 SiteMinder. This solution provides seamless login experience to your end-users when a user tries to access single page applications, and deep authorization can be governed by APIM. Then when a user needs to access other SiteMinder protected resources within the existing session the experience is smooth and the security is trustworthy.
What's new in the integration?
If you have already implemented this integration using versions prior to SiteMinder 12.8 and API Management 9.4, then the implementation is using a SiteMinder agent deployed in the API Gateway. That integration worked for a number of use cases, but it created additional overhead because the API Gateway had to do more work to transform to and from the native SiteMinder SMSession as transactions between the two products were being executed.
The 12.8 version of SiteMinder introduced support for a JSON Web Token authentication scheme. This standard token type can be applied to the integration between SiteMinder and Layer7 API Management to simplify and improve the integration.
Why adopt JWT Authentication Scheme in CA SSO?
The APIM-SiteMinder integration comes with shared benefits of JWT authentication with SiteMinder. JWT authentication augments your ability to handle sessions across APIM and SiteMinder enabling seamless user experience without compromising security or trust.
------------------------------------------------------------------------------------------------------------------------------------------------------
This new methodology is the best way of integrating two solutions. Spend a little time setting up the JWT authentication scheme for all required protected resources and manage public/private keys to establish trust between the two parties.
------------------------------------------------------------------------------------------------------------------------------------------------------
Key Benefits of JWT Authentication in Layer7 SiteMinder
- A JWT generated by Layer7 APIM can be used for user authentication and also to get access to multiple SiteMinder protected resources. Even if a SiteMinder defined SMSession is short lived (a typical configuration), APIM can use a long-lived JWT token to get access to SiteMinder protected resources without asking users to provide credentials again and again
- Standard JWTs generated by APIM can be used across various authorization servers. This helps improve the administrative and transaction experience across authorization servers which are deployed in different data centers
- No need to customize configurations in the API Gateway to achieve parity with SiteMinder ACO parameters. For example, a SiteMinder agent embedded in the API Gateway will accept session cookies from the SiteMinder SDK call using the AcceptTPCookie ACO. This configuration can be avoided when the integration is executed via JWT
- APIM can manage user authentication and SiteMinder can perform policy decisions based on the JWT contract to achieve claims-based authorization.
- If APIM is acting as an OIDC provider to authenticate users and to generate ID_tokens and Access Tokens for API flows, the same ID Token can be used with the SiteMinder JWT authentication scheme for web flows, making SiteMinder an OIDC Resource Server.