Symantec Access Management

Expand all | Collapse all

OTK and OAM integration

Jump to Best Answer
  • 1.  OTK and OAM integration

    Posted 09-23-2019 01:00 PM
    We have installed OTK 4.3 on CA API gateway version 9.4 (We do have license for this product). Here is what we want to accomplish,

    1. All OAUTH ( including OpenID Connect) requests should pass through the CA API gateway.
    2. Those OAUTH request should get forwarded to Oracle Access Manager 11g (External IDP) version for authentication, the application deployed on it should authenticate user (So OAM acting as external Idp needs user certificate for authentication) and sends an AuthN cookie back.
    3. On the basis of valid AuthN cookie (returned by OAM) the OTK should return the user/application should get back the authorize token which then can be used to get access_token.

    As per the article (https://docops.ca.com/ca-api-management-oauth-toolkit/4-3/en/installation-workflow/configure-authentication/support-optional-authentication-mechanisms), two options are offered one is to create a custom IDP and another is to use CA siteminder IDP. As we are relying on OAM as external IDP we can't use the siteminder.

    We have following questions,
    1. How can a trust relationship between OAM and OTK be established so that the OTK can issue an access_token based on AuthN cookie from OAM?
    2. What kind of changes we have to do to create a custom IDP?
      1. Which policy needs to be modified? OR create totally new custom policy?
      2. How to redirect user to OAM for authentication?
      3. The OAM needs a certificate to authenticate user, how can we pass the certificate on very first OAUTH call (for e.g. Open Id flow) to OTK?
    Please let us know, how can we achieve this integration.

    ------------------------------
    Utpal Kasture
    ------------------------------


  • 2.  RE: OTK and OAM integration
    Best Answer

    Posted 10-04-2019 09:00 AM
    Hi Utpal,

    Are you using the OAM assertion on the Gateway? I have not personally set this up, but I imagine we can use the same workflow described in the document you provided.
    Are you able to extract any attributes from the returned OAM cookie such as user name?

    Regards,
    Joe