Configuring an Authentication URL user registry

An Authentication URL user registry provides a simple mechanism for authenticating users by referencing a custom identity provider.

About this task

This topic describes how to configure a new Authentication URL user registry as a Resource in your cloud. After the user registry is configured, you must select it for use in your cloud in Settings > User Registries. See Selecting user registries for Cloud Manager and API Manager.

One of the following roles is required to configure user registries.:
  • Administrator
  • Owner
  • Topology Administrator
  • Custom role with the Settings:Manage permissions
Note:
API Connect issues an HTTP GET call to the Authentication URL endpoint, sending the user's credential. The following example shows a call made to an Authentication URL identity provider with an endpoint defined as https://myauthurl.example.com/user/authenticate:
GET /user/authenticate HTTP/1.1
 Host: myauthurl.example.com
 Authorization: Basic c3Bvb246Zm9yaw=
If the Authentication URL endpoint returns an HTTP status code of 200, the user authenticates successfully. An HTTP status code other than 200 indicates a failed login attempt. API Connect forwards any HTTP Header starting with X- (with the exception of X-Client-Certificate), and Cookie to the Authentication URL identity provider, to aid the authentication decision; for example:
GET /user/authenticate HTTP/1.1
 Host: myauthurl.example.com
 Authorization: Basic c3Bvb246Zm9yaw=
 X-Forwarded-For: 8.8.9.9
 X-Custom-Header-From-Customer: special
 Cookie: MyCookie=VGhpc0lzV2lja2VkQW1hemluZw==
When a user is presented with the form for completing their API Connect user registration, which fields are prepopulated depends on which fields are returned in the response from the Authentication URL identity provider. If any of the following fields are returned, they will be prepopulated in the registration form:
  • username
  • email
  • first_name
  • last_name
If the username field is not returned, the registration form displays the user name that was provided by the user. The pre-population capability requires that the response from the Authentication URL identity provider satisfies the following conditions:
  • The Content-Type must be application/json.
  • The response body format must be JSON.
A sample response is as follows:
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache

{
  "username":"myuser",
  "email":"myuser@example.com",
  "first_name":"My",
  "last_name":"User"
}

Procedure

  1. In the Cloud Manager, click Resources.
  2. Select User Registries to see the list of current user registries in your cloud.
  3. Click Create in the User Registries section.
    Important: Do not share user registries between the API Manager and the Developer Portal, or between Developer Portal sites when self-service onboarding is enabled or account deletions in any of the sites are expected. You should create separate user registries for them, even if the separate registries point to the same backend authentication provider (for example, an LDAP server). This separation enables the Developer Portal to maintain unique email addresses across the Catalog, without API Manager needing the same requirement. It also avoids problems with users deleting their accounts from the Developer Portal that then affects their API Manager access.
  4. Select Authentication URL User Registry and enter the following parameters:
    Field Description
    Title (required) Enter a descriptive name to use on the screen.
    Name (required) The name that is used in CLI commands. The name is auto-generated. For details of the CLI commands for managing user registries, see apic user-registries.
    Summary (optional) Enter a brief description.
    Display Name (required) The name that is displayed for selection by the user when logging in to a user interface, or activating their API Manager account.

    For details of user interface log in, and account activation, see Accessing the Cloud Manager user interface, Accessing the API Manager user interface, and Activating your API Manager user account.

    Note: The Developer Portal uses the Title of the User Registries when rendering them at the login page, rather than the Display Name.
    URL (required) Enter the URL for the authentication service. When establishing authentication, API Connect makes a GET call to the URL. The call includes the user name and password it has collected from the user in its authorization header. Either 200 OK or 401 Unauthorized will be returned.
    TLS Client Profile (optional) Select a TLS Client Profile to allow secure authentication with a specific web server.
    Case sensitive To ensure proper handling of user name capitalization, you must ensure that your case-sensitivity setting here matches the setting on your backend Authentication URL server:
    • Only select Case sensitive if your backend server supports case-sensitivity.
    • Do not select Case sensitive if your backend server does not support case-sensitivity.
    Note: The Developer Portal does not support case sensitive usernames.
    Note: After at least one user has been onboarded into the registry, you cannot change this setting.
    Email required Select this checkbox if an email address is required as part of the user onboarding process. If selected, the source identity provider must supply the email address as part of the authentication process during onboarding.
    Note: An email address is not required by default for onboarding to the Cloud Manager or the API Manager, but it is required for onboarding to the Developer Portal.
    Unique email address Select this checkbox if email addresses must be unique within the user registry.
    Note: Every account in the Developer Portal, including across different user registries for the same site, must have a unique email address, including the site Admin account.
  5. Click Save.

Results

The Authentication URL user registry is saved and is available to be selected as a user registry for Cloud Manager or API Manager by selecting it in Settings > User Registries. It can also be used for Basic Authentication in the Security Definition for an API.