Configuring an Authentication URL user registry
An Authentication URL user registry provides a simple mechanism for authenticating users by referencing a custom identity provider.
About this task
This topic describes how to configure a new Authentication URL user registry as a Resource in your cloud. After the user registry is configured, you must select it for use in your cloud in Settings > User Registries. See Selecting user registries for Cloud Manager and API Manager.
One of the following roles is required to configure user registries.:
- Administrator
- Owner
- Topology Administrator
- Custom role with the Settings:Manage permissions
Note:
API Connect issues an HTTP
GET
call to the Authentication URL endpoint, sending the user's
credential. The following example shows a call made to an Authentication URL identity provider with
an endpoint defined as
https://myauthurl.example.com/user/authenticate
:GET /user/authenticate HTTP/1.1
Host: myauthurl.example.com
Authorization: Basic c3Bvb246Zm9yaw=
If
the Authentication URL endpoint returns an HTTP status code of 200
, the user
authenticates successfully. An HTTP status code other than 200
indicates a failed
login attempt. API Connect forwards
any HTTP Header starting with X-
(with the exception of
X-Client-Certificate
), and Cookie to the Authentication URL identity provider, to
aid the authentication decision; for
example:GET /user/authenticate HTTP/1.1
Host: myauthurl.example.com
Authorization: Basic c3Bvb246Zm9yaw=
X-Forwarded-For: 8.8.9.9
X-Custom-Header-From-Customer: special
Cookie: MyCookie=VGhpc0lzV2lja2VkQW1hemluZw==
When a user is presented with the form for completing their API Connect user
registration, which fields are prepopulated depends on which fields are returned in the response
from the Authentication URL identity provider. If any of the following fields are returned, they
will be prepopulated in the registration form:
username
email
first_name
last_name
username
field is not returned, the registration form displays the user
name that was provided by the user. The pre-population capability requires that the response from
the Authentication URL identity provider satisfies the following conditions:- The
Content-Type
must beapplication/json
. - The response body format must be JSON.
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"username":"myuser",
"email":"myuser@example.com",
"first_name":"My",
"last_name":"User"
}