![[V5.0.2 or later]](../buildfiles/icon_v502.jpg){kind=icon}
validate-usernametoken
Use the Validate Username Token policy to validate a Web Services Security (WS-Security) UsernameToken in a SOAP payload before allowing access to the protected resource.
The validate-usernametoken policy has the following
format:
- validate-usernametoken:
title: title
description: description
auth-type: Authentication URL_or_LDAP Registry
auth-url: authentication_url_to_use
tls-profile: tls_profile_to_use
ldap-registry: name_of_the_ldap_user_registry
ldap-search-attribute: name_of_the_ldap_user_password_attributeThe following table describes the policy properties:
| Property label | Property name | Required | Description | Data type |
|---|---|---|---|---|
| Title | title | Yes | The title of the policy. The default value is |
string |
| Description | description | No | A description of the policy. | string |
| Authentication type | auth-type | Yes | The authentication type to use to validate the UsernameToken. Valid values:
Authentication URL. |
string |
| Authentication URL | auth-url | Yes | The authentication URL to use to validate the UsernameToken user credentials against. Note: This property is required only if Authentication type is set to
Authentication URL. |
string |
| TLS profile | tls-profile | No | The TLS profile to use for the secure transmission of data to the authentication URL. Note: This property is available only if Authentication type is set to
Authentication URL. |
string |
| LDAP registry name | ldap-registry | Yes | The name of the LDAP user registry to validate the UsernameToken user credentials against. You can select a name from the drop-down list, or type a name manually. Note: This property is required only if Authentication type is set to
LDAP registry. |
string |
| LDAP search attribute1 | ldap-search-attribute | Yes | The name of the LDAP user password attribute. Note: This property is required only if Authentication type is set to
LDAP registry. |
string |
Examples
The following example shows an LDAP user registry authentication:
- validate-usernametoken:
title: "validate-usernametoken"
auth-type: "LDAP Registry"
ldap-registry: "wstest"
ldap-search-attribute: "userPassword"The following example shows an Authentication URL definition:
- validate-usernametoken:
title: "validate-usernametoken"
auth-type: "Authentication URL"
auth-url: "https://www.google.com"
tls-profile: "default-ssl-profile"
For more information about how to use a validate-usernametoken security policy, see Validate Username Token (validate-usernametoken) in the built-in policies section.
1 When authenticating with LDAP and passwordText, the policy uses the username and password as LDAP bind credentials. However, when authenticating with LDAP and passwordDigest, the digest itself cannot be used for authentication. Instead, an LDAP search for the username is performed by using the administrator's distinguished name (DN) and password, and an attribute corresponding to the contents of the ldap-search-attribute is retrieved. A hash of the contents of this attribute (along with the Nonce and Created attributes, as in the WS-Security UsernameToken profile specification) is then compared to the passwordDigest.