Layer7 API Management

 View Only
  • 1.  MAG Authentication flow

    Posted Oct 03, 2016 11:32 AM

    Hi all,

    In mobile authentication flow using Mobile API Gateway (MAG) v 3.2, will an OAuth token be returned, or a JWT with an SSO token is returned to the application.

  • 2.  Re: MAG Authentication flow

    Posted Oct 03, 2016 02:09 PM



    MAG (CA Mobile API Gateway) will issue access_token, refresh_token and an id_token. The id_token is represented as JWT. Not sure what you are referring to as 'SSO token'.


    I hope this helps. Let me know if you have more questions,


  • 3.  Re: MAG Authentication flow

    Posted Oct 12, 2016 07:22 PM



    What does JWT contain ? Does it can contain full fledged Smsession ? or is it some sort of ssotoken like sessionspec/encrypted string which gets validated with policy server ?


    Also if it can have Smsession then is it possible to extract same session cookie from JWT which may be on a native app and can be utilized to authenticate to mobile web application for a seamless experience.


     Thanks for the help in advance.


    Thanks and Regards,


  • 4.  Re: MAG Authentication flow
    Best Answer

    Posted Oct 12, 2016 08:19 PM

    Hello Yatin!


    I do believe we already do what you want to see. When MAG is configured to authenticate users against SiteMinder the JWT gets an additional header which is the SiteMinder SSO token. MAG then forwards that to SiteMinder to have it validated whenever its required.

    Is it possible for you to send me a description of your use case? I can then answer you better I believe. If you do not want to share it in this forum send me an email: