Configure CA Single Sign-On

Administrator can configure aan to support CA Single Sign-On (CA SSO) for user authentication.
apip43
Administrator can configure
API Portal
to support CA Single Sign-On (CA SSO) for user authentication.
Prerequisites
This section is intended for administrators who are well versed in CA SSO concepts, terms, and Policy Server configuration tasks. For more information about CA SSO, see the CA SSO documentation.
Before you proceed, ensure that you meet the following requirements:
  • CA Access Gateway, and Policy Server installed and configured.
  • API Portal
    is installed and running.
The high-level steps to configure CA SSO are as follows:
  1. Configure
    API Portal
    to support CA SSO.
  2. Configure CA SSO as IdP for
    API Portal
    .
  3. Configure CA Access Gateway.
  4. Test the
    API Portal
    and CA SSO Integration.
The following illustration depicts the CA SSO authentication flow:
CA_SSO_Authentication_flow
CA_SSO_Authentication_flow
Configure
API Portal
to Support CA SSO
To configure
API Portal
to support CA CA SSO, follow these steps:
  1. Log in as an Administrator.
  2. From the menu bar, select the gear icon,
    Authentication
    .
  3. On the
    Authentication Schemes
    page, click
    Add Authentication Scheme
    and provide the following information:
    1. Providers
      : Select CA SSO provider from the available providers, and click Next.
    2. Basic Details
      : Specify the following values, and click Next.
      Basic Details
      Attribute
      Description
      Provider Name
      Specifies the provider name.
      Provider Icon
      Specifies the provider icon.
      Provider Description
      Provider description.
      Note:
      The CA SSO name, icon, and description added in the providers section is listed on the API Portal login page.
    3. Provider Configuration
      : Provide the following CA SSO configuration details:
      Attribute
      Description
      Example value
      Provider Configuration
      CA Access Gateway Hostname
      Specifies the fully qualified hostname of the CA Access Gateway (SPS).
      Protected Resource
      Provide a unique alphanumeric endpoint. The complete path that is provided is the resource path that you must configure in CA Single Sign-On as a Resource Filter in Realm. For more information about how to configure Realm, see the CA Single Sign-On documentation.
      Attribute Mapping
      Email
      Specifies the HTTP header variable for email address in the response attribute of the CA Access Gateway.
      Email
      First Name
      Specifies the HTTP header variable for first name in the response attribute of CA Access Gateway.
      FirstName
      Last Name
      Specifies the HTTP header variable for last name in the response attribute of CA Access Gateway.
      LastName
      Login
      Specifies the HTTP header variable for user ID in the response attribute of CA Access Gateway.
      UserId
      Organization
      Specifies the HTTP header variable for organization in the response attribute of CA Access Gateway.
      Org
      Role
      Specifies the HTTP header variable for role in the response attribute of CA Access Gateway.
      Role
    4. Role Mapping
      : Map the Role attribute that you defined in Attribute section to the following
      API Portal
      user roles.
      • Portal Administrator
      • API Owner
      • Developer
      • Org Administrator
    5. Configure multiple roles values to the
      API Portal
      roles. If you select memberOf as a Role attribute, ensure to provide the full DN in role mapping. The following sample DN is to map the portaladministrators to a group named Team - APIM - Portal - Divyam for the domain ca.com.
      CN=Team - APIM - Portal - Divyam,OU=Groups,OU=Asia Pacific,DC=ca,DC=com
  4. Click
    Create
    to add the configured CA SSO provider to
    Layer7 API Developer Portal
    . CA SSO is now configured as an IdP to authenticate users using CA SSO.
    The API Portal login page now lists the configured CA SSO.
Configure CA SSO as IdP for
API Portal
To configure CA SSO as IdP for
API Portal
, follow the high-level steps that administrator performs at CA SSO.
  1. Configure Realm
  2. Create Response
  3. Configure Agent Configuration Object
Prerequisites
Meet the following requirements:
  1. Ensure that you have administrator privileges for CA SSO, and knowledge about CA SSO configuration.
  2. Ensure that an authentication scheme is created on CA SSO to authenticate users in
    API Portal
    .
Configure Realm
  1. To configure Realm, add the Resource path as
    Protected URL in Provider Configuration
    section.
  2. Select the required authentication scheme. For more information, see the CA SSO documentation.
  3. In the Rules section,
    1. Create a rule for the realm.
      For example, the effective resource could look as follows:
      <agent name>/admin/public/auth/schemes/sso/<variable>*. The /admin/public/auth/schemes/sso/<variable>* is the protected URL provided in the Provider Configuration section.
    2. Select the GET and POST actions for the
      Web Agent Actions.
Create Response
Create user attribute types where the attribute is WebAgent-HTTP-Header-Variable, and map all the attributes that you added in
API Portal
.
An example illustration is as follows:
create response
Configure Agent Configuration Object
Add or modify the
BadCSSChars
variable. For example, <,>. Ensure that the characters do not contain single quote in the value.
Configure CA Access Gateway
Prerequisites
We assume that the administrator has knowledge about CA Access Gateway, Proxy rules, and Policy Server configuration tasks.
Follow the high-level steps to configure CA Access Gateway:
  1. Configure Proxy Rule
  2. Configure Virtual host settings
Configure Proxy Rule
Configure a proxy rule to forward a request to
API Portal
. The proxy rule ensures that the users access
API Portal
through the CA Access Gateway.
Configure Virtual Host Settings
Configure the following variables:
  • enableredirectrewrite
    Enables redirect rewriting.
  • redirectrewritablehostnames
    Sets the portal host name
    An example configuration is as follows:
    <VirtualHost name="abc">
    hostnames="abc.company.com"
    enableredirectrewrite="yes"
    redirectrewritablehostnames="tenant1.dev.ca.com"
    </VirtualHost>
Test the Integration
Considering that you have configured abc.company.com in your virtual host setting, test the integration as follows:
  1. Provide the abc.company.com address in a browser.
    The
    API Portal
    home page should open.
  2. Click login to view the configured CA SSO IdP option.
    If you have set the CA SSO as the default login page, then you are directed to the login page of the configured CA SSO.
  3. Provide the user credentials, and log in to
    API Portal
    successfully.
    Note:
    For external user authentication, ensure that the organization exists in
    API Portal
    .
Edit and Delete CA SSO Configuration
If your CA SSO configuration changes, update the same in API Portal.
Follow these steps:
  1. Log in to the API Portal as an Administrator.
  2. From the menu bar, select the gear icon,
    Authentication
    .
  3. On the
    Authentication Schemes
    page, click the down arrow in the
    Actions
    section of a configured CA SSO, and then select
    Edit
    .
  4. In the
    Edit Authentication Scheme
    page, select CA SSO configuration to edit. For example, to edit the provider configuration, select the Provider Configuration option. Make the required changes, and then click
    Save
    .
  5. To delete CA SSO that is configured with API Portal: On the Authentication Schemes page, click the down arrow in the
    Actions
    section of a configured CA SSO, and then select
    Delete
    .