Layer 7 API Management

Expand all | Collapse all

SAML Bridging to allow for the Portal 4.2.x

  • 1.  SAML Bridging to allow for the Portal 4.2.x

    Posted 07-13-2018 11:46 AM

    This is an idea I got when a customer wanted to use openId Connect to log in the Portal 4.2.7.1.

    We do not support this but I leverage the Gateway to do so that it can be done:

     

     

    The way one can do it is with the following:

    1.  download the SAML identityprovider service that is specified here
      CA API gateway uses SAML with onelogin.com 
    2. On the Gateway
      1. Create a PKI for SAML
        1. Go to 'tools'->'Certificates...'-> 'Manage Private Keys'
        2. Create a new PKI 
        3. export the certificate of that PKI as a .pem file (which will be imported in the portal)
      2. Create a service that you will use for SAML authentication with the Portal
      3. Import the IdP service in the Gateway
      4. Modify the service to accept the call from the portal (endpoints, and other such variables)
        1. modify the 'Create Signed Bearer-Token SAML Token' assertion to add some attributes (as needed)
        2. associate that PKI to the assertion that signs the SAML AND  You also have to associate the PKI to the assertion "Build SAML Protocol Response" ( the assertion below the one shown in the screenshot [line28])

          ----------------------
        3. Save and activate the service.
    3. On the Portal
      1. Open the Tenant as an admin
      2. Go to the gear icon (top right) and choose 'Authentication'
      3. In the page, click on 'Add Authentication Scheme'
      4. Choose SAML SSO and press 'next'
      5. Fill in the basi details as you are required (name, desc, icon) and press 'next'
      6. in Provider Configuration, fill in the fields that are required as in the screenshot, substituting the following:
        1. Identity Provider URL with the full name of the service on the Gateway that will work as the SAML Bridge
        2. Issuer ID with a unique identifier that will be used in the SAML response
      7. Import the .pem file that you exported in the previous step.
      8. Choose SAMLResponse and Parameter
      9. Make sure that the Service Provider ID is the same as the ACS URL
      10. Keep a record of the ACS URL and the Service Provider ID, you will need it in the service on the Gateway
      11. Press 'Next' and map the fields as required
    4. on the Gateway,
    1. Open/got back to the service that you will use for SAML authentication with the Portal
    2. Modify the service to accept the call from the portal (endpoints, and other such variables)
      1. substitute the context variable in the service  where it mentions serviceProviderURL with the ACS URL you have in the Portal:
      2. open the 'Create Signed Bearer-Token SAML Token' assertion and make sure the Recipient and the Audience restriction to match with the ${serviceProviderURL} and make sure that the message is signed:


    3. Under line 4 of the service, change the logic to fit the requirements (call the next identity provider). See the difference herebelow between the ORIGINAL form-authentication part that Ben created and the OPENID one that I have put in:
      ORIGINAL


      OPENID



    I hope it helps



  • 2.  Re: SAML Bridging to allow for the Portal 4.2.x

    Posted 11-08-2018 10:37 AM

    Hi GARMA26,

     

    Thanks for the doc. I want to know how do you handle users registration when configuring the gateway as a Proxy IdP?

     

    Best regards,

    Manil



  • 3.  Re: SAML Bridging to allow for the Portal 4.2.x

    Posted 11-10-2018 12:02 PM
      |   view attached

    Hello Manil,

     

    registration works just like normal:

     

    you use the Gateway to identify the user, so if the user is stored on the internal IDP of the Gateway then you use the Gateway but in case of LDAP, SAML, or OAUTH, then you manage the user on those federal platforms, not via the Portal or Gateway, so the users would register not on the Portal but on the IdP

     

     

    Maurizio Garzelli

    Services Architect

    CA Technologies

    Office: +31611025636/ 20374 | Maurizio.Garzelli@ca.com<mailto:Maurizio.Garzelli@ca.com>