Layer7 API Management

  • Private Community
 View Only

  • 1.  Bad Login redirect page in AUTH server

    Posted Feb 17, 2020 10:22 AM
    Hello there,
    We have L7 API Gateway 9.4 with OTK 4.3 version​. We use CA SSO for authentication and authorization. My question is, when user clicks login from the RP application the Auth server gets clientid, redirecturi, scope etc and in the Gateway policy we send the user to CA SSO if there is no SMSESSION exist. So user logs in with good uid/pwd and he is able to login. Everything is fine here.

    However when user enter enters invalid uid/pwd, we redirect the user to a login failed page and now if user wants to login again, what URL should we redirect the user and with what parameters?

    Thanks


  • 2.  RE: Bad Login redirect page in AUTH server

    Posted Feb 17, 2020 11:04 AM

    Do you have parameter like target, spurl or relaystate in you url .. Usually that hold the page to redirect to...

    This is one of the external guide for integration that covers the requirement we use for one of our integration https://help.zscaler.com/zia/saml-configuration-guide-ca-single-sign-on



    ------------------------------
    Pre-Sales Consultant
    CA Southern Africa
    ------------------------------

    Original Message


  • 3.  RE: Bad Login redirect page in AUTH server

    Posted Feb 17, 2020 12:47 PM
    It's not SAML... we use openID connect authorization code flow.​
    Original Message


  • 4.  RE: Bad Login redirect page in AUTH server

    Posted Feb 18, 2020 07:29 AM
    Usually Authorization Code has a callback url or redirect_uri that it redirect to post Authorization. Looking at this article it is a required parameter in your POST
    https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/configuring/use-ca-single-sign-on-as-openid-connect-provider.html

    ------------------------------
    Pre-Sales Consultant
    CA Southern Africa
    ------------------------------

    Original Message


  • 5.  RE: Bad Login redirect page in AUTH server

    Posted Feb 20, 2020 03:54 PM
    We are not using CA SiteMinder for OpenID connect provider, we use API Gateway with OTK and using CA SSO for authentication of uid/pwd only.

    For example..

    1. User goes to https://www.coke.com/login-sso

    2. In this above page, user has an option to click 'Login with COMPANY-A-Z'

    3. User clicks the 'Login with COMPANY-A-Z' button and user is redirected to COMPANY-A-Z login page along with OpenID parameters

    4. User enters invalid uid or pwd in the login page of COMPANY-A-Z https://login.COMPANY-A-Z.com

    5. Since user enters invalid uid/pwd, user is redirected to failed page https://login.COMPANY-A-Z.com/failed-login.html

    In this failed-login.html, we have a try again link and if user clicks that try again link, how can we get the openID parameters again which he came with in above step#3.
    Original Message


  • 6.  RE: Bad Login redirect page in AUTH server

    Posted Feb 20, 2020 04:51 PM
    In other words, in the failed-login.html page that has a try again link, i want to show 'https://www.coke.com/login-sso' in the try again link. I can't hard code this value because we have 100+ clients who will land up this failed-login.html and their login page URL will be different.

    Any thoughts?
    Original Message


  • 7.  RE: Bad Login redirect page in AUTH server
    Best Answer

    Posted Feb 24, 2020 04:27 AM
    We are not using CA SiteMinder for OpenID connect provider, we use API Gateway with OTK and using CA SSO for authentication of uid/pwd only.

    For example..

    1. User goes to https://www.coke.com/login-sso
    This is OK. Should not be a problem
    2. In this above page, user has an option to click 'Login with COMPANY-A-Z'
    Is this page controlled by third party vendor or do you control the page
    3. User clicks the 'Login with COMPANY-A-Z' button and user is redirected to COMPANY-A-Z login page along with OpenID parameters
    Is this page controlled by third party vendor or do you control the page. This is just to understand if you want to add extra parameters. 
    4. User enters invalid uid or pwd in the login page of COMPANY-A-Z https://login.COMPANY-A-Z.com
    --You have faced no issues here
    5. Since user enters invalid uid/pwd, user is redirected to failed page https://login.COMPANY-A-Z.com/failed-login.html
    During the failed again when the user does retry login .. What does this do (history.back javascript or is it a URL)
    In this failed-login.html, we have a try again link and if user clicks that try again link, how can we get the openID parameters again which he came with in above step#3.

    What is the open ID grant type you are using (Password or Authorization Code)

    There are some example that you can see provided by OTK toolkit if you installed the client data tools
    https://<urGwURL>:<urGwPort>/oauth/v2/client/authcode

    OAuth 2.0 
    Authorization parameter works with a callback url. This url is the routed url the third party client tries to redirect to post successful authentication.

    Can you please provide feedback on the following
    1. This https://www.coke.com/login-sso is this controlled by you
    2. The redirect COMPANY-A-Z login page  what are the default parameter that are sent to COMPANY-A-Z login page during registration (again do you control this site)
    3. If Company Login fails what does Retry Login do ... I mean what is the URL it redirect to..Is it controlled with Javascript.back option in which case you don't need to specify parameter else 




    ------------------------------
    Pre-Sales Consultant
    CA Southern Africa
    ------------------------------

    Original Message


  • 8.  RE: Bad Login redirect page in AUTH server

    Posted Feb 24, 2020 04:31 AM
    However when user enter enters invalid uid/pwd, we redirect the user to a login failed page and now if user wants to login again, what URL should we redirect the user and with what parameters?
    https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-3/installation-workflow/verify-the-installation/verify-the-oauth-infrastructure.html

    Look at this example should meet your requirement
    https://<UrGwURL>/oauth/v2/client/bcp


    ------------------------------
    Pre-Sales Consultant
    CA Southern Africa
    ------------------------------

    Original Message