Layer7 API Management

Portal SSO (SAML New) with API Gateway as the IDP

  • 1.  Portal SSO (SAML New) with API Gateway as the IDP

    Posted 01-14-2020 05:28 AM
    Edited by Ronald DSouza 01-14-2020 05:28 AM


    On Gateway

    Version Supported: 9.4 or above or Custom Javascript Assertion required

    Gateway Cluster Properties

    • hostname: Gateway Cluster hostname
    • domaincheck :- domain name (e.g. for api gateway as and portal as domain check parameter will be
    • portal.tenant :- PORTAL tenant name e.g. portal
    • portal.tenantName:- PORTAL tenant user friendly name

    Option 1:-

    GMU Import Scripts:-

    Option 2:-

    Create Policy and Folder Manually

    • Note: The Guid are only if you are using restman to create folder structure
    • Create Folders
      • Portal Single Sign On (Root) [guid: 9e2bda6f90670a0a14c18f2a51cf2af7]
        • Encapsulation [guid: 9e2bda6f90670a0a14c18f2a51cf2b3a]
        • Policy [guid: 9e2bda6f90670a0a14c18f2a51cf293f]
        • Service [guid: 9e2bda6f90670a0a14c18f2a51cf2b7b]
      • Import Encapsulation
        • handle_error_encaps (Location portal_sso_integration_manual\encapsulation\handle_error_encaps.xml)
        • search_in_array_encaps (Location portal_sso_integration_manual\encapsulation\ search_in_array_encaps.xml)
      • Create and Import Policy
        • Portal-Cache [guid: 9e2bda6f90670a0a14c18f2a51cf2912]
        • Import Policy: (Location portal_sso_integration_manual\policy\portal-cache.xml)
      • Create and Import Services
        • Service Folder: (Location portal_sso_integration_manual\service\*.xml)
        • Services
          • Name: Portal Single Sign On
            • GUID: 9e2bda6f90670a0a14c18f2a51cf28b9
            • Path: /portal/saml/v2/*
            • Method: GET|POST
            • XML: portal_sso.xml
          • Name: Portal User Login
            • GUID: 9e2bda6f90670a0a14c18f2a51cf305b
            • Path: /portal/saml/v2/validateUser/*
            • Method:POST
            • XML: validateUser.xml
          • Name: Portal User Service (SCIM)
            • GUID: 9e2bda6f90670a0a14c18f2a51cf2bdf
            • Path: /scim/v2/*
            • Method:GET
            • XML:scim.xml
          • Create and Import LDAP Setting for validation and query
            • Update LDAP parameter in
              • Portal User Login Page
              • Portal User Service (SCIM)

    LDAP Service

    Create Groups and Add user to the groups

    General Group

    • Api Owner à maps to Api Owner on Portal SSO Config
    • Portal Administrator à maps to Portal Administrator on Portal SSO Config

    For each Organization create 2 groups

    • g. If you have an organization on Portal as Broadcom Internal
    • Create the following groups
      • Developer#Broadcom Internal à maps to Developer role on Portal to Broadcom Internal Organization
      • Org Administrator#Broadcom Internal à maps to Org Administrator role on Portal to Broadcom Internal Organization

    NOTE: The following role mapping and organization is case sensitive must map correctly in the Portal Authentication scheme else the user will not login as SAML

    On Portal

    Configure Auth Scheme

    • Login as Portal Administrator
    • Navigate to Setting àAdministrationàAuthentication
    • Click on Add Authentication Scheme
    • Select SSO SAML (new) as the provider
    • Provide Basic Details as required
    • Provide Identity details
      • Identity Provider URL:
        • API Gateway URL for Portal Single Sign On Service
      • Issuer ID
        • Copy the Secton from ACS Url that hold the guid
      • Upload Trusted Certificate
        • Copy Certificate from CA API Gateway URL
      • ACS url
        • No Change
      • Saml Bindings
        • Keep default POST
      • Saml Attribute token in
        • Keep default Parameter
      • Service Provider ID *
        • Same as Issuer ID (guid)
      • Click Next
      • Provide Attribute Mappings
        • Email à mail
        • First Name àgivenName
        • Last Name àsn
        • Login àlogin
        • Organization àorganization
        • Role à memberOf
        • NOTE: The attribute are from SAML Response if you want to change these value refer 242 of Portal Single Sign On Service (Create Signed Bearer Token SAML) and update the name value pair as required
      • Update the setting for Portal Role – SAML ROLE mapping as below
        • Note: This value can be updated in SCIM policy under Javascript assertion on Gateway
      • Save the settings

    Test Setup:-

    • On Portal login page Select à Auth Scheme for Portal Loging. Portal Signle Sign On
    • You will be redirected to API Gateway page for SAML login
    • Enter your username and password
    • Click on Login
    • Based on your groups assignment on ldap you will get a drop down with ROLE#Organization Mapping
      • Here I have access as Org Administrator role for Broadcom External and Broadcom Internal and Developer role for Broadcom Internal
      • In real world you will belong to different organization with different roles all will be listed down here
      • Select the profile
      • Click Login
      • Based on your profile selection you are logged in as
      • Broadcom Internal as Developer



     --Download the Word doc for screengrabs