user-security

Use the user-security policy to extract a user's credentials, authenticate those credentials, and obtain authorization from the user.

Gateway support

Table 1. Table showing which gateways support this policy, and the corresponding policy version
Gateway Policy version
DataPower® API Gateway 2.0.0

This topic describes how to configure the policy in your OpenAPI source; for details on how to configure the policy in the assembly user interface, see User Security.

About

The user-security policy has the following format:
- user-security:
  version: version
  title: title
  description: description
  factor-id: factor ID
  extract-identity-method: method_used_to_extract_credentials
       .
       .
       .
     properties_specific_to_the specified_identity_extraction_method
       .
       .
       .
  user-auth-method: authentication_method
       .
       .
       .
     properties_specific_to_the specified_authentication_method
       .
       .
       .
  user-az-method: authorization_method
       .
       .
       .
     properties_specific_to_the specified_authorization_method
       .
       .
       .

Properties

Table 2. user-security policy properties
Property Required Description Data type
version Yes The policy version number string
title No The title of the policy. string
description No A description of the policy. string
factor-id No The identity that identifies the results of factor-authentication in the API context. string
extract-identity-method Yes Select the method that is used to extract the user credentials. The following options are available:
basic
Use basic authentication; no additional configuration is required.
context-var
The credentials are provided by API Connect context variables; specify the following properties:
  • user-context-var: the context variable that is used to obtain the user name.
  • pass-context-var: the context variable that is used to obtain the password.
html-form
Use forms based identity-extraction. You can use the default form or a custom form. To use the default form, specify ei-default-form: true. To use a custom form, specify ei-default-form: false and supply the following properties:
  • ei-custom-form: the location of the form.
  • ei-custom-form-tls-client-profile: the TLS client profile that is used to secure the connection to the remote server.

Use the ei-form-time-limit property to specify the time allowed to submit the form.

redirect
Use a redirect for identity-extraction; specify the following properties:
  • redirect-url: the URL fragment to which to redirect the request to obtain user credentials.
  • redirect-time-limit: the time allowed for the transaction to complete.
disabled
Identity-extraction is disabled; this aspect of processing is skipped.


Specify ei-stop-on-error: true to halt assembly processing in the event of identity-extraction failure. This field is required if identity extraction is not disabled.

string
user-auth-method Yes Select the authentication method. The following options are available:
auth-url
The credentials are authenticated by an external endpoint; specify the following properties:
  • auth-url: the URL of the authentication endpoint.
  • auth-tls-client-profile: the TLS client profile that is used to secure the connection to the authentication endpoint.
  • auth-response-headers-pattern: the pattern that is used to select which response headers to add to the API context.
  • auth-response-header-credential: the response header that contains the authenticated user credentials.
ldap
The credentials are authenticated by an LDAP user registry; use the ldap-registry property to specify the required registry.
disabled
Authentication is disabled; this aspect of processing is skipped.


Specify au-stop-on-error: true to halt assembly processing in the event of user authentication failure. This field is required if authentication is not disabled.

string
user-az-method Yes Select the authorization method. The following options are available:
authenticated
Implicitly accept any previously authenticated users; no additional configuration is required.
html-form
The user provides authorization through an HTML form. You can use the default form or a custom form.

To use the default form, specify az-default-form: true. To use a custom form, specify az-default-form: false.

Supply the following properties:
  • az-table-dynamic-entries: the name of a context variable that specifies the scopes that are to be added automatically to the authorization consent form.
  • az-form-time-limit: the time allowed to submit the form.
For a custom form, supply the following properties:
  • az-custom-form: the location of the form.
  • az-custom-form-tls-client-profile: the TLS client profile that is used to secure the connection to the remote server.
disabled
Authorization is disabled; this aspect of processing is skipped.


Specify az-stop-on-error: true to halt assembly processing in the event of user authorization failure. This field is required if authorization is not disabled.

string

Example

# basic authentication with LDAP registry

- user-security:
    version: 2.0.0
    title: user-security
    factor-id: default
    extract-identity-method: basic
    ei-stop-on-error: true
    user-auth-method: ldap
    ldap-registry: corporate-ldap
    au-stop-on-error: true
    user-az-method: authenticated
    az-stop-on-error: true