Layer 7 API Management

Expand all | Collapse all

How to expose REST services to support Siteminder authentication & authorization  ?

Jump to Best Answer
  • 1.  How to expose REST services to support Siteminder authentication & authorization  ?

    Posted 01-10-2018 08:21 AM

    Hi All,

     

    We have Web services based authentication & authorization running in CA Access Gateway. I am  exploring the possible ways to use API Gateway to provide the same functionality. For an example, CA Access Gateway supports login,blogin,authz,logoff calls for REST based authentications. Noticed that there is a service restman already running and service the REST based operations which we use it for migration activity. 

     

    Could you help me how can I use Siteminder login so that the application can post the credentials to API G/W which checks Siteminder for validation and return the headers. 



  • 2.  Re: How to expose REST services to support Siteminder authentication & authorization  ?
    Best Answer

    Posted 01-10-2018 01:21 PM

    For username+password you can send them in via Require HTTP Basic or via a POST parameter username+password extracted via XPath. For certificates, I've only used it getting the creds via the "Require TLS client cert auth" for direct connections, it follows similar basic logic to below but X509 as the authenticate and maps to an X509 protected auth scheme in SiteMinder; that way it uses that cred instead of expecting a password; but I imagine you could get a cert via a parameter in order to pass through too.

     

    Can't upload a full policy, but here's a password example logic that might help get started if nobody else has a full policy they can just upload.

     

    Password

    • **Pre-req: Agent (e.g., MyAgent) and application object setup in SiteMinder that enforces password log in on the component (e.g., /password)
    • Require TLS with client cert auth 
      • At minimum you need to require TLS, but up to you if you'd need client cert auth to use the service or not. 
    • Authorize client cert making the call
      • To ensure not just any person can POST user creds to the endpoint.
    • Validate form POST for your security reqs (invalid chars, expected params only, etc)
    • Set variable ssozone As String to appzone (from SiteMinder whatever you need your SSO Zone to be if you're not using default SM)
    • Set variable for agentname as String to MyAgent (set this to the agent mapped to the password component)
    • Set variable for resource as String (set this to the resource protected by component /password)
    • Set variable for username submitted As String to ${request.http.parameter.username}
    • Set variable for password submitted As String ${request.http.parameter.password}
    • Set variable for xpathform As Message to <form/>
    • ${xpathform}: Require XPath Credential: login = $username, password = $password
      • Right click, choose "SelectTarget Message" and update to Other Context Variable and set to xpathform
    • Request: Check Protected Resource Against CA SSO
      • Agent = agentname
      • Protected Resource = resource
      • Action = POST
    • ${xpathform}: Authenticate Against CA SSO
      • Right click, choose "SelectTarget Message" and update to Other Context Variable and set to xpathform
      • Properties:
        • Use Last Credentials
        • Supported Credential Types: Username Password
        • SSO Token: Create SSO Token and SSO Zone Name = ${ssozone}
    • Request Authorize via CA SSO
      • Properties: User SSO Token from CA Single Sign-On context
    • Return Template Response to Requestor
      • Put your response here. Can  use a variable or whatever. So like if I built a JSON response in some fashion would go here with Response Content type = application/json and Response Body = JSON Response variable or manually inputed
        • E.g.,
          {
              "ssotoken" : "${siteminder.smcontext.ssotoken",
              "ssozone" : "${siteminder.smcontext.attributes.ATTR_SSOZONE}",
              "maxtime" :  "${siteminder.smcontext.attributes.ATTR_MAXSESSIONTIMEOUT}",
              "userdn" : "${siteminder.smcontext.attributes.MYAPP_USERDN}", <-- this would be header setup as a response header in SM
              "upn" : "${siteminder.smcontext.attributes.MYAPP_UPN}"   <-- this would be header setup as a response header in SM
          }

     

    Of course you'd want to adjust that to your setup and however you want to make appropriate variables, other security checks (IP whitelist, rate limiting, etc), authentication to the service itself, and anything else ya might need.



  • 3.  Re: How to expose REST services to support Siteminder authentication & authorization  ?

    Posted 01-11-2018 03:31 AM

    Thank you for the details notes. I am new to CA API G/W world and just started getting my hands dirty.  I will try this and post my update. Could you share any reference document where I can go-through the list of assertion used frequently and kind of manual for each assertion. 



  • 4.  Re: How to expose REST services to support Siteminder authentication & authorization  ?

    Posted 01-11-2018 10:54 AM

    Docops has pretty good list and explanation of each one. Sometimes it's not always clear when you want to leverage certain things. I'm still pretty new to the GW too, so still figuring a lot of things out .

     

    But here's some stuff I found useful when setting up the CA SSO token services - 

     

    --- Doing Math operations ---

    Math Expression Assertion 

    Mathematical functions within Policy 

    How can I create a simple arithmetic operation (a   b, for example)? 

     

    Within the context of CA SSO, if you want remaining time on a session you can use XPath to calculate time remaining on an SSO token to return to an app. From what I've found the API GW doesn't support the standard web agent headers regarding time left. So you get the max time, last time, and idle time only; then have to calculate the time remaining yourself based on server time (if it's already expired and you're on the latest version it should just fail but if you want to know how much time is left on an active session, need to do this).

     

    End up with something like:  $maxSessionTime - ($gateway.time.seconds - $startSessionTime)

     

    --- XPath credentials via context variables ---

    Custom HTTP Authorization Header 

     

    --- CA SSO variables ---

    CA Single Sign-On Context Variables - CA API Gateway - 9.2 - CA Technologies Documentation 

     

    Just have to remember if you only do the authenticate call you may not get all variables. Some only get sent with an authorize call. That's a standard CA SSO thing.