Layer7 API Management

In API Gateway and Siteminder integration, what's a best way to validate source IP coming from the user with the details in the SMSESSION. Is the Check IP option a legit one for this ?

Hello,

I think the simplest way is to check the context variable ${<target>.tcp.remoteIP} in your policies ("<target>" is "request" here). It can be used without SiteMinder integration.
https://docops.ca.com/ca-api-gateway/9-3/en/reference/context-variables/transport-layer-context-variables

If you'd like to get the source IP from the SMSESSION, ${<prefix>.smcontext.sourceIpAddress} would be better for your purpose.
https://docops.ca.com/ca-api-gateway/9-3/en/reference/context-variables/ca-single-sign-on-context-variables

I believe Simpler is Better.

Cheers.

Considering the different type of network configurations ( SNAT etc ), will ${.tcp.remoteIP} get the exact source IP for the validation. I am concerned about the internet facing application which also CDNs like Akamai in place.

Hello,

Would you be able to give us any examples about your concerns?

When we received an HTTP request through a network device such as SSL offloader, the original IP address is placed in the X-Forwarded-For header. You should refer to it instead of ${<target>.tcp.remoteIP}.
CDNs like Akamai are the destinations of HTTP requests, aren't they? It's not clear for me how the source IP addresses from clients are used for.

Cheers.