Layer7 API Management

 View Only
  • 1.  SAML IdP Support

    Posted Aug 14, 2017 10:51 AM

    Can CA API Gateway act as an IdP where a user's can be signed into from a Cloud based SP ? The Gateway would have to prompt the user for credentials (in some cases) and also add certain attributes when returning back an assertion ..?

  • 2.  Re: SAML IdP Support

    Posted Aug 14, 2017 12:18 PM


    Without knowing anymore details the answer is yes. The gateway needs to be configured to connect to some kind of LDAP. The gateway would receive a request, authenticate the user, create a SAML token and redirect to the target platform.

    The other way around works too. The gateway would receive a SAML token, validate its signature, extract the user attributes and continues its desired flow.

    Please share a few more details if you need more clarification.

    Thanks, Sascha

  • 3.  Re: SAML IdP Support

    Posted Aug 15, 2017 02:02 PM

    Hi Sascha, Mine is a much simpler use case than crshah's. Appreciate if you can give me pointers on how to get this,


    1. Service provider sends CA API GW SAML request(How do I import and export metadata of IDP and SP)

    2. API Gateway authenticates user and creates SAML token as well as API Gateway cookie with user's session information.

    3. API Gateway to POST the SAML token to SP's Assertion Consumer Service. 


    Can this be done? If yes, can you please provide sample policies? If they don't exist, can you please refer to documentation that describes my needs?

    I have created a support ticket, engaged my account manager with a tech architect, and posted my questions on community. Unfortunately, have not progressed an inch. 


    Crshah, sorry to piggyback on your thread but I see some common synergies and can help each other.

  • 4.  Re: SAML IdP Support

    Posted Aug 23, 2017 04:45 PM

    A support case was opened for this question and we worked through what is required to get this accomplished. The solution was based on the sample policies in the CA API gateway uses SAML with Community document.

  • 5.  Re: SAML IdP Support

    Posted Aug 15, 2017 09:19 AM

    Thank you for your response..Here's what we are looking to do using CA API..My question is whether CA API can host the IdP login page on its own rather than re-directing to another IdP..and if it can, then how since it is not clear as to how we can go about that (policy assertion ?)

    Than you again for your time. 


    1-A cloud service provider sends CA API G/W a SAML Request via browser.

    2-User will be redirected to IdP Page (via CA API) and will enter Creds.  (Can CA API host that page to enter creds ?)

    3-After successful assertion, user needs to be redirected to webpage to enter secondary credentials (EIN & Password) hosted by PinDB and response returned back to CA API.

    4-These credentials will then be added to web service call via CA API and then make the web service call to check on user account.

    5-If webservice returns a true, we then generate/return a SAML Assertion back to requester (service provider) or deny it.

  • 6.  Re: SAML IdP Support
    Best Answer

    Posted Aug 23, 2017 04:57 PM

    To answer your 2 highlighted questions:


    2-The SAML_SSO_IdentityProvider policy included with the CA API gateway uses SAML with document is configured by default to present a login page from the gateway that requests username and password to be authenticated against the gateway's Internal Idenitity Provider. The login page HTML presented is configured in the 'Return Template Response to Requester' assertion at the end of the policy(line 35).


    3-Another branch of policy could be added that does the same basic thing as step 2 where you request the username/password. Just configure the 'Return Template Response to Requester' assertion in this branch to return an HTML form prompting for the EIN & Password.