Configuring an Authentication URL user registry
An Authentication URL user registry provides a simple mechanism for authenticating users by referencing a custom identity provider.
About this task
This topic describes how to configure a new Authentication URL user registry as a Resource in your cloud. After the user registry is configured, you must select it for use in your cloud in Settings > User Registries. See Selecting user registries for Cloud Manager and API Manager.
One of the following roles is required to configure user registries.:
- Administrator
- Owner
- Topology Administrator
- Custom role with the Settings:Manage permissions
Note:
API Connect issues an HTTP
GET
call to the Authentication URL endpoint, sending the user's credential. The
following example shows a call made to an Authentication URL identity provider with an endpoint
defined as
https://myauthurl.example.com/user/authenticate
:GET /user/authenticate HTTP/1.1
Host: myauthurl.example.com
Authorization: Basic c3Bvb246Zm9yaw=
If the Authentication URL endpoint returns an HTTP
status code of 200
, the user authenticates successfully. An HTTP status code other
than 200
indicates a failed login attempt. API Connect forwards any HTTP Header
starting with X-
(with the exception of X-Client-Certificate
), and
Cookie to the Authentication URL identity provider, to aid the authentication decision; for
example:GET /user/authenticate HTTP/1.1
Host: myauthurl.example.com
Authorization: Basic c3Bvb246Zm9yaw=
X-Forwarded-For: 8.8.9.9
X-Custom-Header-From-Customer: special
Cookie: MyCookie=VGhpc0lzV2lja2VkQW1hemluZw==
When a user is presented with the form for completing their API Connect user
registration, which fields are pre-populated depends on which fields are returned in the response
from the Authentication URL identity provider. If any of the following fields are returned, they
will be pre-populated in the registration form:
username
email
first_name
last_name
username
field is not returned, the registration form displays the user
name that was provided by the user. The pre-population capability requires that the response from
the Authentication URL identity provider satisfies the following conditions:- The
Content-Type
must beapplication/json
. - The response body format must be JSON.
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"username":"myuser",
"email":"myuser@example.com",
"first_name":"My",
"last_name":"User"
}