Goal: To reuse existing enterprise access policies @ SiteMinder with API Gateway and OAuth ToolKit which SiteMinder is integrated with Oracle WebLogic with JavaEE Declarative Security for the backend APIs.
Issue: Before SiteMinder prior to 12.8, it seems there is no easy to associate JWT to SiteMinder SMSESSION.
Assumption: With SiteMinder 12.8, we can associate JWT token to internal SMSESSION seamlessly. i.e. SiteMinder 12.8 can help to validate OAuth2 JWT token and generates an SMSESSION to allow access to protected resources with Broadcom API Gateway 9.3 or 9.4. Does anyone do that with WebLogic backend?
Questions:
- Is there a hard assumption that there must always be an username involved when the client first accesses to BroardBoard/CA API Gateway ? If not username involved, how SiteMinder can associate a JWT token to the existing access policies or SMSESSION?
- OAuth2 generates JWT at the API Gateway and using scopes to define what can be protected. The following documentation suggests that SiteMinder can base on a JWT, SiteMinder 12.8 can generate an SMSESSION to access the protected resource, how OAuth2 scopes vs SMSESSION related? Or there is no relationship at all?
Thanks in advance for any reply.
Louie
https://docops.ca.com/ca-single-sign-on/12-8/en/configuring/policy-server-configuration/authentication-schemes/json-web-token-jwt-authentication-scheme/------------------------------
Enterprise Architect
TwoCoins.ca Inc.
------------------------------