How to integrate Siteminder with Apigee Edge

Hi,

I am looking to enable siteminder integration with APigee edge to enable access to developers based on SM tokens rather than using inbuilt OAuth tokens. Can someone help with this please?

Solved Solved
0 9 652
2 ACCEPTED SOLUTIONS

Something like this: ?
  • call arrives at Apigee
  • Extract Token (ExtractVariables)
  • Call to SiteMinder to verify the token (ServiceCallout)
  • based on the result, reject or allow the call . (Condition, and RaiseFault)

View solution in original post

deniska
Participant V

Sounds like you can use SecureGateway (former SPS) before the actual Apigee API.

If you have a relevant version of SM (12.51*, not sure), you can use SM API to validate incoming SMSESSIONS.

Anyway, IMO the best way is to put the SM & SPS in front of Apigee and use relevant SPS proxy rules to route to Apigee services. What's the process of getting SMSESSION in first place by developer?

You can build Proxy that will gather cliend_id + client_secret (you have to create such credentials in you SM IDP), and once developer will send these to the SM IDP, he will recieve SMSESSION back, insted of OAUTH, and then you can use flow that Dino wrote. You need to sync the clientid+clientsecret to SM IDP if you want this to work, and create authentication Proxy integrated to SM.

View solution in original post

9 REPLIES 9

Something like this: ?
  • call arrives at Apigee
  • Extract Token (ExtractVariables)
  • Call to SiteMinder to verify the token (ServiceCallout)
  • based on the result, reject or allow the call . (Condition, and RaiseFault)

Thanks for responding.

Yes, that's right. I want to authorize the calls based on the siteminder. Here I don't want to have generate Oauth policy associated with my proxy. All the developers will registers in a portal which is associated with siteminder.

@Dino-at-Google

Hello, can you please help on this?

deniska
Participant V

Sounds like you can use SecureGateway (former SPS) before the actual Apigee API.

If you have a relevant version of SM (12.51*, not sure), you can use SM API to validate incoming SMSESSIONS.

Anyway, IMO the best way is to put the SM & SPS in front of Apigee and use relevant SPS proxy rules to route to Apigee services. What's the process of getting SMSESSION in first place by developer?

You can build Proxy that will gather cliend_id + client_secret (you have to create such credentials in you SM IDP), and once developer will send these to the SM IDP, he will recieve SMSESSION back, insted of OAUTH, and then you can use flow that Dino wrote. You need to sync the clientid+clientsecret to SM IDP if you want this to work, and create authentication Proxy integrated to SM.

@Denis Kalitviansky Currently we have a gateway server which has the inbuilt functionality to use SM. We need to use SM host Config file to call SM from the gateway server. However, we are planning move to Apigee, so having a SPS in front of Apigee may not be an option for me. This is actually for mobile apps wherein when the user signs into the app, he will get a SM token(Apps are connect to SM) using which the app makes the call to Apigee to get access the proxies created.

So, create proxy on Apigee. You mobile app will push the creds from mobile to this proxy, for logic you will :

a) check clientid + secret of the developer

b) check the user credentials

if all success - return SMSESSION

Other API's will be protected by.. lets say shared flow that will receive the SMSESSION and validate it against SM Server.

@Denis Kalitviansky thanks for this. I will give it a try. In my case, I may just need to validate the SMSESSION agaisnt the SM server. Do you have any links to docs or videos which can help me set this up please?

If you have relevant SM version, use SM API like any other API with Apigee. Just send the data(SMSESSION) and retrieve response.

https://docops.ca.com/ca-single-sign-on/12-7/en/programming/policy-object-rest-apis/rest-api-referen...

I'm suggesting you yo open ticket for CA Support so they can explain how to enable RESTful API on your version of SM. Once this is done, use API as any other API, nothing special.

@Denis Kalitviansky Thanks very much for the help. I will talk to SM team(we have a different team) and check if they already have API for this or they need to enable one.