Step 2: Set Up SAML SSO on the API Gateway

Before you set up SAML SSO on the API Portal, perform the following tasks to set up SAML SSO on the API Gateway:
apip43
Before you set up SAML SSO on the API Portal, perform the following tasks to set up SAML SSO on the API Gateway:
  1. Install the API Portal Authentication SAML SSO service.
  2. Configure the SAML Request service.
  3. Specify the SAML attributes in the SAML SSO service.
The API Portal Authentication SAML SSO service contains two other services: SAML Request service and SAML Validation service.
  • The path to the endpoint of the SAML Request service is
    /prefix/portalAuth/sso/samlRequest
  • The path to the endpoint of the SAML Validation service is
    /prefix/portalAuth/sso/validateSaml
Install the API Portal Authentication SAML SSO Service
The first step in setting up SAML SSO on the API Gateway is to install the API Portal Authentication SAML SSO service.
Follow these steps:
  1. Open the Policy Manager.
  2. On the Main menu, select 
    Tasks,
     
    Additional Actions,
     
    Install API Portal Authentication and Management Service
    . The API Portal Authentication and Management Service Installer dialog box opens.
  3. Select the 
    SAML SSO
     Authentication Method and then click [
    Install
    ]. The installer validates the Prefix resolution URI. The installer also checks for potential service name conflicts with existing published services. If there are validation errors or naming conflicts, an error message appears. Correct them before proceeding.
  4. Confirm that the 
    API Portal Authentication SAML Validation Service
     is in the Policy Manager's Services and Policies List. If you selected a folder in the Services and Policies List before you started the installation, then the service will appear in that folder. Otherwise, the service will appear under the root (top level) folder.
Configure the SAML Request Service
The SAML Request service generates the SAML AuthnRequest sent to the identity provider. You must specify the URL of the identity provider in the SAML Request service.
The SAML Request service supports two different binding methods (HTTP Post and HTTP Redirect) to deliver the SAML AuthnRequest to the identity provider. The default binding method is HTTP Post. You can change the method to HTTP Redirect.
Follow these steps:
  1. Open the Policy Manager.
  2. Locate the 
    Set Context Variable idpURL
     assertion and change the value to the URL of your identity provider.
  3. Locate the 
    Set Context Variable portalACSURL
     assertion and replace 
    <REPLACE_PORTAL_HOST>
     with the URL of your API Portal.
  4. (Optional) To change the SAML Request service binding to HTTP Redirect, locate the 
    Set Context Variable samlReqMethod
     assertion. Change the value from 
    Post
     to 
    Redirect
    .
    post.png
    direct.png
Specify the SAML Attributes in the SAML SSO Service
The SAML attributes in the SAML SSO service must be identical to the attributes in the assertion generated by the identity provider. Get a list of the identity provider’s attributes and then add them to the SAML SSO service.
Follow these steps:
  1. Open the API Portal Authentication SAML SSO service.
  2. Locate the 
    Evaluate SAML Protocol Response
     assertion.
  3. Open the 
    Attribute Statement
     tab. See the below figure.
  4. Add the names of the identity provider’s SAML attributes to the attribute statement.
    addnames.png
    responsewizard.png
    Attribute Statement tab in the SAML Protocol Response wizard