Use the User Security policy to extract
a user's credentials, authenticate those credentials, and obtain authorization from the
user.
Table 1. Table showing
which gateways support this policy, and the corresponding policy version
| Gateway |
Policy version |
| DataPower® API Gateway |
2.0.0 |
This topic describes how to configure the policy in the assembly user interface; for details on
how to configure the policy in your OpenAPI source, see user-security.
About
When you define an assembly user security action, you can define the processing for
identity-extraction, authentication, and authorization or you can selectively disable any of these
this aspects of processing. When disabled, this processing aspect is skipped.
When identity-extraction is enabled, the following methods are supported.
- Use basic authentication, which requires no additional configuration.
- Use context variables. For this method, specify which variable contains the user name and
password.
- Use a redirect. For this method, specify the URL fragment to redirect to, and the time allowed
to process.
- Use an HTML login form. For this method, specify whether to use the default or custom form and
the time allowed to submit the form. For a custom form, specify the location of the form and the TLS
client profile to secure the connection to the remote server.
When authentication is enabled, the following methods are supported.
- Contact an LDAP server. For this method, specify which server to contact.
- Send a request to an authentication endpoint. For this method, specify the URL of the endpoint,
the TLS client profile to secure the connection, the pattern to select which response header to add,
and the response header that contains the authenticated credentials.
When authorization is enabled, the following methods are supported.
- Implicitly accept any previously authenticated users, which requires no additional
configuration.
- Use an HTML authorization form. For this method, specify whether to use the default or custom
form and the time allowed to submit the form. For a custom form, specify the location of the form
and the TLS client profile to secure the connection to the remote server.
You can attach this policy to the REST API flow.
Properties
The following table lists the policy properties, indicates
whether a property is required, specifies the valid and default values for input, and specifies the
data type of the values.
Table 2. User Security policy
properties
| Property label |
Required |
Description |
Data type |
| Title |
No |
The title of the policy. The default value is user-security.
|
string |
| Description |
No |
A description of the policy. |
string |
| Factor ID |
No |
The identity that identifies the results of factor-authentication in the API context. |
string |
| Extract Identity Settings |
Yes |
Select the method that is used to extract the user credentials. The following options are available:
- Basic
- Use basic authentication; no additional configuration is required.
- Context Variable
- The credentials are provided by API Connect context
variables; specify the following properties:
- Username content variable: the context variable that is used to obtain
the user name.
- password context variable: the context variable that is used to obtain
the password.
- HTML Form
- Use forms based identity-extraction. Select whether to use the default form or a custom form.
For a custom form, specify the following properties:
- Custom form endpoint: the location of the form.
- Custom form TLS profile: the TLS client profile that is used to secure
the connection to the remote server.
In the HTML form time limit field, specify the time allowed to submit
the form.
- Redirect
- Use a redirect for identity-extraction; specify the following properties:
- Redirect URL: the URL fragment to which to redirect the request to obtain
user credentials.
- Redirect time limit: the time allowed for the transaction to
complete.
- Disabled
- Identity-extraction is disabled; this aspect of processing is skipped.
Select Stop on error to halt assembly processing in the
event of identity-extraction failure.
|
string |
| Authenticate User Settings |
Yes |
Select the authentication method. The following options are available:
- Authentication URL
- The credentials are authenticated by an external endpoint; specify the following properties:
- Authentication URL: the URL of the authentication endpoint.
- Authentication TLS profile: the TLS client profile that is used to secure
the connection to the authentication endpoint.
- Authentication response header pattern: the pattern that is used to
select which response headers to add to the API context.
- Authentication response header credential: the response header that
contains the authenticated user credentials.
- LDAP
- The credentials are authenticated by an LDAP user registry; from the LDAP
registry list, select the required registry.
- Disabled
- Authentication is disabled; this aspect of processing is skipped.
Select Stop on error to halt assembly processing in the
event of authentication failure.
|
string |
| Authorize User Settings |
Yes |
Select the authorization method. The following options are available:
- authenticated
- Implicitly accept any previously authenticated users; no additional configuration is
required.
- HTML Form
- The user provides authorization through an HTML form. Select whether to use the default form or
a custom form. For a custom form, specify the following properties:
- Custom form endpoint: the location of the form.
- Custom form TLS profile: the TLS client profile that is used to secure
the connection to the remote server.
In the Dynamic table entries field, enter the name of a context
variable that specifies the scopes that are to be added automatically to the authorization consent
form.
In the HTML form time limit field, specify the time allowed to
submit the form.
- Disabled
- Authorization is disabled; this aspect of processing is skipped.
Select Stop on error to halt assembly processing in the
event of authorization failure.
|
string |