A customer is implementing MAG 4.1 + OTK 4.2 + Gtw 9.3 with two nodes (in cluster) and API Portal 4.2.x.
They have different business units, where each one must have one or more mobile applications using MAG and each business unit has its own authentication repository (LDAP or database).
How can they achieve this goal? What is the best practice in this case?
1 - Custom grant types for each business unit?2 - Creating different Instance Modifiers for OTK and MAG for each BU?3 - Any other suggestions?
Thanks for your help.
Assuming the business units are both reporting under the same GW/MAG/OTK installation I would think the instance modifier would be the preferred solution to authenticate against different IDP's.
Thanks for you reply.
Yes, the business units are reporting under the same GW/MAG/OTK installation. I agree with you, the instance modifier would be the preferred solution.
Customer is trying to use a "provider_hint" parameter in the http header and/or http parameter to get this information in the policy OTK User Authentication Extension to select the correct IDP.
They created a class called MASAuthCredentialsPasswordCustom that implements MASAuthCredentials including the "provider_hint" in the header and parameter (query string) and MAG send these parameters to the gateway.
An issue with this approach is dev portal 4.2.x. Since it works only with the default otk instance, any app created on portal will exist only in the default otk. Also, the services will have to check the token with the correct instance assertion.
The portal integration could be a problem. Customer is testing the option with the hint to select the correct IDP. With this approach they will need just one installation of OTK and MAG.
Thanks for your reply.