Creating an Authentication URL user registry
An Authentication URL user registry provides a simple mechanism for authenticating users by referencing a custom identity provider.
About this task
This topic describes how to create a new Authentication URL user registry as a Resource in your organization. After the user registry is created, the user registry must be added to the Sandbox catalog.
One of the following roles is required to configure user registries:
- Administrator
- Organization Owner
- Custom role with the Settings: Manage permissions
Note:
API Connect issues an HTTP
GET
call to the Authentication URL endpoint, sending the user's credential. The
following example shows a call made to an Authentication URL identity provider with an endpoint
defined as
https://myauthurl.example.com/user/authenticate
:GET /user/authenticate HTTP/1.1
Host: myauthurl.example.com
Authorization: Basic c3Bvb246Zm9yaw=
If the Authentication URL endpoint returns an HTTP
status code of 200
, the user authenticates successfully. An HTTP status code other
than 200
indicates a failed login attempt. API Connect forwards any HTTP Header
starting with X-
(with the exception of X-Client-Certificate
), and
Cookie to the Authentication URL identity provider, to aid the authentication decision; for
example:GET /user/authenticate HTTP/1.1
Host: myauthurl.example.com
Authorization: Basic c3Bvb246Zm9yaw=
X-Forwarded-For: 8.8.9.9
X-Custom-Header-From-Customer: special
Cookie: MyCookie=VGhpc0lzV2lja2VkQW1hemluZw==
When a user is presented with the form for completing their API Connect user
registration, which fields are pre-populated depends on which fields are returned in the response
from the Authentication URL identity provider. If any of the following fields are returned, they
will be pre-populated in the registration form:
username
email
first_name
last_name
username
field is not returned, the registration form displays the user
name that was provided by the user. The pre-population capability requires that the response from
the Authentication URL identity provider satisfies the following conditions:- The
Content-Type
must beapplication/json
. - The response body format must be JSON.
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"username":"myuser",
"email":"myuser@example.com",
"first_name":"My",
"last_name":"User"
}
Procedure
Results
The user registry can be used for Basic Authentication in the Security Definition for an API. For more information, see Creating a basic authentication security definition.