Layer7 API Management

Tried asking support for some guideline with no luck.

Would like to see if someone could share a working flow where client would get tokens from our 3rd party service provider (okta) and in the API Gateway we'd validate prior to routing playing the role of resource server.

Hi Mark,

From the wording in this question, it sounds like this is meant to be more of a discussion where multiple people's input would be desired. Question types in the community are geared towards items that only really have one "right" answer. As such, I'm going to convert this from a "Question" type to a "Discussion" type where it is open-ended and has more potential for involvement from others when examples are what's being sourced in this case.

I also just wanted to add that if anyone is able to provide such a "working flow" in a policy format, I want to make sure that we tag this inclusion in the new policy template repository as it'd be a great starting point for anyone else desiring working flows/policies for integration with Okta. This is the great part of our policy repository, it's always evolving. In fact, I'd encourage you to take a look at it in case there are other starting points that can possibly assist, if this isn't specific to integration with Okta. Our repository is here, for your reference: https://communities.ca.com/community/ca-api-management-community/content?filterID=contentstatus%5Bpublished%5D~tag%5Bpol… 

On a side note: CA Support does not usually have examples of policies nor examples of interactions with third-party services, which is likely why you may not have received a satisfactory answer to your question. Third-party integration assistance is, for the most part, a best effort attempt by Support as it's actually outside the scope of the team. Asking this in the CA API Management Community, however, should yield better results as you're now opening the floor up to potentially any user of the API Gateway involved int he community that has experience with integrating with Okta. I'm glad you've asked the question, and let's hope that people who have experience with Okta will be able to respond. And if you can clarify anything here too, in case I've misunderstood and this isn't specific to Okta integration, please do clarify and we'll do our best to assist you.

-- Dustin Dauncey

CA Support - Sr Support Engineer

Okta provides API access management to a number of API gateways, including AWS, Apigee, Kong, MuleSoft...CA API Manager is not currently among them. It would be great to see CA API Gateway integrated with Okta as well. We are a customer of both CA API Gateway and Okta. Wondering if CA is already exploring/working on it. Here is a link for Mulesoft and Okta integration as an example.

https://www.okta.com/partners/mulesoft/

I don't have an example for you, but I imagine it's quite possible. Okta, as far as I know, can send a signed JWT as the access token which if you have their cert or use their JWKS endpoint should be able to verify it before passing request through. API GW should be able to verify the JWT and you can parse out the attributes you want to validate prior to proxying request to API back-end. 

There's also an introspection endpoint you could call to check it via a "route HTTP" assertion. I'd just use their cert to verify the JWT directly though unless you're needing additional claims or something that came from the introspection endpoint.

Thanks. Yes. will explore the OIDC with OTK for user authentication. 

I'm currently investigating exactly the same use case for my organisation.   I'd love to see out of the box integration between OKTA and CA API-GW too!