Layer7 API Management

 View Only
  • 1.  about authenticate policy with siteminder

    Posted Nov 29, 2021 09:39 AM
    Hello everyone,

    with Layer7 I have created policies / api that use the siteminder SMSESSION as authentication / authorization. (eg the smession is passed in the header as if it were an "api key"). In this way on the Layer7 side I can understand the identity of the user (I use sso authentication and authorizzation assertion) and possibly call some TEWS [broadco iga] tasks "on behalf the user" passing the smsession as cookie.

    But now I have an application that is federated (always with siteminder) with OpenID Connect. In this case I don't have the smsession.

    I thought that I could somehow pass it in the json, but this does not work because in the meantime that you use it, smsession could be "expired".

    Do you have any suggestions on how I could handle this situation?
    Thanks in advance

  • 2.  RE: about authenticate policy with siteminder

    Posted Nov 29, 2021 10:05 AM
    This is what I thought.
    I can create a policy/API of the type "/ jwt2smsession" which takes as input the JWT released by siteminder and generates an SMSESSION.

    I could do by making a protected resource on siteminder with JWT-based authentication and use it with sso auth/az assertions. 

    So the application know the JWT generated by siteminder through the openidconnect authentication. From the application I can call the /jwt2smsession passing the jwt and obtaining the smsession and then use the latter for the APIs already developed previously.

    How does it look to you? Too Long ? Useless ? Insecure?