Validate Username Token (validate-usernametoken)
About
A WS-Security UsernameToken enables a user identity to be passed securely over a multi-point message path. The Validate Username Token policy extracts the UsernameToken element from the request payload, authenticates the extracted username and password, and provides access to the protected resource based on the authentication result. The policy has two authentication methods: Lightweight Directory Access Protocol (LDAP) user registry, or Authentication URL.
passwordText | passwordDigest |
---|---|
Authentication: Basic base64(username:password) | Authentication: Basic base64(username:passwordDigest) X-IBM-PasswordType: 'digest' |
- REST
- SOAP
- To validate the original input, position a Validate Username Token policy at the start of your flow.
- To validate an intermediate response that is returned from other invoke actions or tasks, position a Validate Username Token policy after those actions or tasks.
- To validate the response that is returned to the client application, position a Validate Username Token policy after the task that collates the response.
Properties
The following table lists the policy properties, indicates whether a property is required, specifies the valid and default values for input, and specifies the data type of the values.
Property label | Property name | Required | Description | Data type |
---|---|---|---|---|
Title | title | Yes | The title of the policy. The default value is |
string |
Description | description | No | A description of the policy. | string |
Authentication type | auth-type | Yes | The authentication type to use to validate the UsernameToken. Valid values:
Authentication URL . |
string |
Authentication URL | auth-url | Yes | The authentication URL to use to validate the UsernameToken user credentials against. Note: This property is required only if Authentication type is set to
Authentication URL . |
string |
TLS profile | tls-profile | No | The TLS profile to use for the secure transmission of data to the authentication URL. Note: This property is available only if Authentication type is set to
Authentication URL . |
string |
LDAP registry name | ldap-registry | Yes | The name of the LDAP user registry to validate the UsernameToken user credentials against. You can select a name from the drop-down list, or type a name manually. Note: This property is required only if Authentication type is set to
LDAP registry . |
string |
LDAP search attribute1 | ldap-search-attribute | Yes | The name of the LDAP user password attribute. Note: This property is required only if Authentication type is set to
LDAP registry . |
string |
Examples
- validate-usernametoken:
title: "validate-usernametoken"
auth-type: "LDAP Registry"
ldap-registry: "wstest"
ldap-search-attribute: "userPassword"
- validate-usernametoken:
title: "validate-usernametoken"
auth-type: "Authentication URL"
auth-url: "https://www.google.com"
tls-profile: "default-ssl-profile"
Errors
The policy returns an HTTP 200 status code when successful, and the input payload is copied to the output flow. For all failure types the policy returns an HTTP 500 status code, and the output contains the SOAP fault.
- Ensure Search (DN) is set as the communication method.
- Ensure Authenticated Bind is set so that specific permissions are required to search the registry.
- Ensure the Admin DN and Password fields are correctly completed for the Distinguished Name (DN) of a user authorized to carry out searches in the LDAP directory.
- Ensure that a combination of Base DN, Prefix, and Suffix are set, such that they fully describe the user DN. For example:
- For a user named:
cn=alice
,dc=ibm
,dc=com
where the user DN is calculated as: Prefix + BaseDN + Suffix.BaseDN: dc=ibm Prefix: cn=alice Suffix: dc=com
- For a user named: