Configure CA Single Sign-On
Administrator can configure aan to support CA Single Sign-On (CA SSO) for user authentication.
Administrator can configure
API Portalto support CA Single Sign-On (CA SSO) for user authentication.
This section is intended for administrators who are well versed in CA SSO concepts, terms, and Policy Server configuration tasks. For more information about CA SSO, see the CA SSO documentation.
Before you proceed, ensure that you meet the following requirements:
- CA Access Gateway, and Policy Server installed and configured.
- API Portalis installed and running.
The high-level steps to configure CA SSO are as follows:
- ConfigureAPI Portalto support CA SSO.
- Configure CA SSO as IdP forAPI Portal.
- Configure CA Access Gateway.
- Test theAPI Portaland CA SSO Integration.
The following illustration depicts the CA SSO authentication flow:
API Portalto Support CA SSO
API Portalto support CA CA SSO, follow these steps:
- Log in as an Administrator.
- ClickSettings, Authentication.
- On theAuthentication Schemespage, clickAdd Authentication Schemeand provide the following information:
- Providers: Select CA SSO provider from the available providers, and click Next.
- Basic Details: Specify the following values, and click Next.Basic DetailsAttributeDescriptionProvider NameSpecifies the provider name.Provider IconSpecifies the provider icon.Provider DescriptionProvider description.Note:The CA SSO name, icon, and description added in the providers section is listed on the API Portal login page.
- Provider Configuration: Provide the following CA SSO configuration details:AttributeDescriptionExample valueProvider ConfigurationCA Access Gateway HostnameSpecifies the fully qualified hostname of the CA Access Gateway (SPS).Protected ResourceProvide a unique alphanumeric endpoint. The complete path that is provided is the resource path that you must configure in CA Single Sign-On as a Resource Filter in Realm. For more information about how to configure Realm, see the CA Single Sign-On documentation.Attribute MappingSpecifies the HTTP header variable for email address in the response attribute of the CA Access Gateway.First NameSpecifies the HTTP header variable for first name in the response attribute of CA Access Gateway.FirstNameLast NameSpecifies the HTTP header variable for last name in the response attribute of CA Access Gateway.LastNameLoginSpecifies the HTTP header variable for user ID in the response attribute of CA Access Gateway.UserIdOrganizationSpecifies the HTTP header variable for organization in the response attribute of CA Access Gateway.OrgRoleSpecifies the HTTP header variable for role in the response attribute of CA Access Gateway.Role
- Role Mapping: Map the Role attribute that you defined in Attribute section to the followingAPI Portaluser roles.
- Portal Administrator
- API Owner
- Org Administrator
- Configure multiple roles values to theAPI Portalroles. If you select memberOf as a Role attribute, ensure to provide the full DN in role mapping. The following sample DN is to map the portaladministrators to a group named Team - APIM - Portal - Divyam for the domain ca.com.CN=Team - APIM - Portal - Divyam,OU=Groups,OU=Asia Pacific,DC=ca,DC=com
- ClickCreateto add the configured CA SSO provider toLayer7 API Developer Portal. CA SSO is now configured as an IdP to authenticate users using CA SSO.The API Portal login page now lists the configured CA SSO.
Configure CA SSO as IdP for
To configure CA SSO as IdP for
API Portal, follow the high-level steps that administrator performs at CA SSO.
- Configure Realm
- Create Response
- Configure Agent Configuration Object
Meet the following requirements:
- Ensure that you have administrator privileges for CA SSO, and knowledge about CA SSO configuration.
- Ensure that an authentication scheme is created on CA SSO to authenticate users inAPI Portal.
- To configure Realm, add the Resource path asProtected URL in Provider Configurationsection.
- Select the required authentication scheme. For more information, see the CA SSO documentation.
- In the Rules section,
- Create a rule for the realm.For example, the effective resource could look as follows:<agent name>/admin/public/auth/schemes/sso/<variable>*. The /admin/public/auth/schemes/sso/<variable>* is the protected URL provided in the Provider Configuration section.
- Select the GET and POST actions for theWeb Agent Actions.
Create user attribute types where the attribute is WebAgent-HTTP-Header-Variable, and map all the attributes that you added in
An example illustration is as follows:
Configure Agent Configuration Object
Add or modify the
BadCSSCharsvariable. For example, <,>. Ensure that the characters do not contain single quote in the value.
Configure CA Access Gateway
We assume that the administrator has knowledge about CA Access Gateway, Proxy rules, and Policy Server configuration tasks.
Follow the high-level steps to configure CA Access Gateway:
- Configure Proxy Rule
- Configure Virtual host settings
Configure Proxy Rule
Configure a proxy rule to forward a request to
API Portal. The proxy rule ensures that the users access
API Portalthrough the CA Access Gateway.
Configure Virtual Host Settings
Configure the following variables:
- enableredirectrewriteEnables redirect rewriting.
- redirectrewritablehostnamesSets the portal host nameAn example configuration is as follows:<VirtualHost name="abc">hostnames="abc.company.com"enableredirectrewrite="yes"redirectrewritablehostnames="tenant1.dev.ca.com"</VirtualHost>
Test the Integration
Considering that you have configured abc.company.com in your virtual host setting, test the integration as follows:
- Provide the abc.company.com address in a browser.TheAPI Portalhome page should open.
- Click login to view the configured CA SSO IdP option.If you have set the CA SSO as the default login page, then you are directed to the login page of the configured CA SSO.
- Provide the user credentials, and log in toAPI Portalsuccessfully.Note:For external user authentication, ensure that the organization exists inAPI Portal.
Edit and Delete CA SSO Configuration
If your CA SSO configuration changes, update the same in API Portal.
Follow these steps:
- Log in to the API Portal as an Administrator.
- ClickSettings, Authentication.
- On theAuthentication Schemespage, click the down arrow in theActionssection of a configured CA SSO, and then selectEdit.
- In theEdit Authentication Schemepage, select CA SSO configuration to edit. For example, to edit the provider configuration, select the Provider Configuration option. Make the required changes, and then clickSave.
- To delete CA SSO that is configured with API Portal: On the Authentication Schemes page, click the down arrow in theActionssection of a configured CA SSO, and then selectDelete.