Identity Bridging Requirements

This topic describes the various requirements for identity bridging in the gateway.
gateway83
This topic describes the various requirements for identity bridging in the
CA API Gateway
.
For brevity, the generic "Trusted Authority" and "Federated Gateway" references are used in the identity bridging examples, workflows, and instructions. The Trusted Authority is the certificate authority (CA) that issues and manages security credentials and that is responsible for authentication. The Federated Gateway is the web service provider that is responsible for authorization.
The following items are required to configure identity bridging using a SAML or X.509 certificate credential source:
Web Service Requestor-Side Requirements
  • When SAML is used as the credential source in an identity bridging configuration, the client should be configured to retrieve a token from the Security Token Service.
  • When an X.509 certificate is used as the credential source in an identity bridging configuration, the client should be configured with a client certificate pair signed by the Trusted Authority.
Trusted Authority (Authentication Domain) Requirements
The Trusted Authority can be any of the following:
  • When SAML is used as the credential source in an identity bridging configuration, the Trusted Authority may be any of the following:
    • another
      API Gateway
      installed and configured
    • an identity provider that supports WS-Trust
    • an identity provider that supports WS-Federation Passive Requestors; for example, Active Directory Federation Services (ADFS)
  • When an X.509 certificate is used as the credential source in an identity bridging configuration, any certificate authority (CA) that issues certificates (such as a system employing the "OpenSSL" toolkit) can be used to sign client certificates.
  • One CA certificate (to be imported into the Federated Gateway trust store when using an X.509 certificate credential source; see Workflow Using an X.509 Certificate
  • One server certificate (to be imported into the Federated Gateway trust store when using the SAML credential source; see Workflow Using SAML)
  • Individual client certificates signed by the CA certificate. For additional confidence in authorizing identities by users’ X.509 client certificates, these certificates may be imported into the Federated Gateway trust store for the Federated Identity Provider; see Workflow Using an X.509 Certificate. These certificates may also be imported into the Internal Identity Provider or the LDAP Identity Provider.
Federated Gateway (Authorization Domain) Requirements
  • API Gateway
    installed and configured
  • Policy Manager installed and configured
  • CA certificate(s) imported from trusted credential source(s) (imported from the Trusted Authority when configuring an X.509 certificate credential source; see Workflow Using an X.509 Certificate.
  • Imported server certificate(s) imported from trusted credential source(s) (imported from the Trusted Authority when configuring a SAML credential source; see Workflow Using SAML.
  • Individual client certificates (optionally imported for the federated users; see Workflow Using an X.509 Certificate.