Monday, June 27, 2016

Token for Application Access

When dealing with CA API Gateway (aka Layer 7) and CA Single Sign-On (aka SiteMinder), especially how to gain access to the backed protected applications, one has to differentiate the types of token required.

CA API Gateway accepts OAuth2 tokens, while CA SiteMinder traditionally accepts SM Session cookies.

In the mobile world, if there is a hybrid app that needs to communicate with an API-enabled application behind CA API Gateway and with a web application behind CA SiteMinder, it would be easier if both PEP (Policy Enforcement Point) "talk" OAuth2.

It saves the application developers time to handle SM Session cookies.

Is this achievable? Yes, a bit painful.

1) Need a new authentication scheme on SiteMinder to act as OAuth2 client.
2) This OAuth2 client needs to communicate with an OAuth2 Provider, which is the CA API Gateway

* Note: CA SiteMinder cannot act as OAuth2 Provider. Mobile deployment aside, if one has a pure web deployment and requires OAuth2 integration, CA SiteMinder is not able to fulfill the requirement singly. It has to integrate with some other OAuth2 Providers out there.

If customers choose to have everything under the same family, CA API Gateway will satisfy the need. However, it would be a real white elephant if there is no API Management requirement. :)

By the way, my team tested. CA SiteMinder OAuth2 authentication scheme is able to integrate with OpenAM whereby OpenAM acts as the OAuth2 Provider. Works like a charm!



  1. This comment has been removed by a blog administrator.

  2. Has CA published which oAuth2 Providers they support. Azure AD for example?

  3. CA SiteMinder has no OAuth2 Provider feature currently.