Layer7 API Management

Expand all | Collapse all

API Gateway - CA SSO Integration

Jump to Best Answer
  • 1.  API Gateway - CA SSO Integration

    Posted 03-30-2020 03:17 PM
    ​Hi,

    I am trying to create an API which will authenticate & authorize user from CA SSO and then will create SMSESSION cookie.
    I have my local test application to make that API call. My local test application is not protected by CA SSO.
    In the browser, I saw it generate the SMSESSION cookie with my company domain.
    From that browser, when I tried to access other my company web applications, the webagent always redirect to CA SSO login page.
    It looks like webagent cannot recognize that SMSESSION cookie.

    I am pretty sure my Layer7 API SiteMinder setting is good. I have another API which can read SMSESSION and retrieve user information.
    So I just wondering is it possible after browser get SMSESSION cookie from  Layer7 and it can bypass login page from other web applications?
    And in the webagent log, I saw webagnet always tried to decode SMIDENTITY cookie. Since the browser only generate SMSESSION cookie, do I need to generate SMIDENTITY cookie too? and can you let me know how can I generate SMIDENTITY cookie?

    Thanks

    Mark


  • 2.  RE: API Gateway - CA SSO Integration

    Posted 03-31-2020 12:58 PM
    Hi Mark,

    when  the SMSESSION cookie is being generated on the gateway you need to ensure the attributes are set correctly.

    Have you validated the browser is actually including the cookie in the call you the other web application?

    if it is being sent and being rejected its potentially the attributes that are being set on the cookie when you are generating it.


  • 3.  RE: API Gateway - CA SSO Integration

    Posted 03-31-2020 02:19 PM
    Barry,

    I thought SMSESSION is cookie and I just set up value, domain and path.
    I compared both SMSESSION and both have same value in the domain and path.
    I am not sure what other attribute I need to set. Do you have any suggestion what other attributes I need set or check?

    Thanks

    Mark


  • 4.  RE: API Gateway - CA SSO Integration

    Posted 03-31-2020 05:37 PM
    Edited by BARRY STERN 03-31-2020 05:37 PM
    Hello Mark,

    You are correct that the SMSESSION is a cookie.

    Web browsers have strict rules for allowing cookies to be stored and sent.

    Did you verify the browser is sending the cooking to these other web applications? this can e seen in the requests in the browsers developer tools.

    if using default settings and authentication against SSO the value for the cookie should be  ${siteminder.smcontext.ssotoken}




  • 5.  RE: API Gateway - CA SSO Integration

    Posted 03-31-2020 08:56 PM
    Barry,

    Here is my API screenshot. The SMSESSION value is $(siteminder.smcontext.ssotoken}


    I will test my test case and will give you another update soon.

    Thanks

    Mark



  • 6.  RE: API Gateway - CA SSO Integration

    Posted 03-31-2020 09:11 PM
    Barry,

    Here is my test html (after made API call), in the browser, I can see SMSESSION value in the response cookie


    But if I went to other HMS Web Application, the browser removed SMSESSION cook value.
    After re-login, I can see new SMSESSION value.




    In the API, do I need to add  other HTTP-Header ?

    Thanks

    Mark




  • 7.  RE: API Gateway - CA SSO Integration
    Best Answer

    Posted 04-01-2020 11:13 AM
    Hi Mark,

    Thanks for including screen shots.

    You have a fundamental cookie web browser security handling issue with your testing approach. You are trying to generate a cookie for your hms.com domain but going to your local ip address not a website with the hms.com domain this will not work  as your browser especially chrome is strict on this to prevent CSRF attacks. you can try adding a entry to your /etc/hosts file to allow your browser to resolve to a hostname.

    What I see is the browser is not setting the cookie as the SMSESSION cookie being returning in your first call from the API gateway. Look at the value of the cookie in your second call to the  other App and see the values do not match.

    You also need to look closely at the attribute SSO is using when generating the SMSESSION cookie and set accordingly in the cookie API gateway is generating. things like Secure and SameSite may be necessary.


  • 8.  RE: API Gateway - CA SSO Integration

    Posted 04-01-2020 11:53 AM
    Barry,

    Thanks your information. I never think about that local host part. I will make that change.
    But from the Layer7 API standpoint, I just want to see if I miss anything. Please let me know if I need other assertion in the API.
    Based on your information, CA SSO should be recognize Layer7 SMSESSION cookie value.  Is that correct?

    Thanks

    Mark


  • 9.  RE: API Gateway - CA SSO Integration

    Posted 04-01-2020 05:44 PM
    If created correctly yes, CA SSO can consume Layer 7 generated cookies as its really CA SSO generating the ssotoken we are just wrapping the cookie around it and returning to the user browser.