Validate Username Token
Gateway support
Gateway | Policy version |
---|---|
DataPower® Gateway (v5 compatible) | 1.0.0 1.1.0 |
This topic describes how to configure the policy in the assembly user interface; for details on how to configure the policy in your OpenAPI source, see validate-usernametoken.
About
A WS-Security UsernameToken enables a user identity to be passed securely over a multi-point message path. The Validate Username Token policy extracts the UsernameToken element from the request payload, authenticates the extracted username and password, and provides access to the protected resource based on the authentication result. The policy has two authentication methods: Lightweight Directory Access Protocol (LDAP) user registry, or Authentication URL.
passwordText | passwordDigest |
---|---|
Authentication: Basic base64(username:password) | Authentication: Basic
base64(username:passwordDigest) X-IBM-PasswordType: 'digest' |
- To validate the original input, position a Validate Username Token policy at the start of your flow.
- To validate an intermediate response that is returned from other invoke actions or tasks, position a Validate Username Token policy after those actions or tasks.
- To validate the response that is returned to the client application, position a Validate Username Token policy after the task that collates the response.
Properties
The following table lists the policy properties, indicates whether a property is required, specifies the valid and default values for input, and specifies the data type of the values.
Property label | Required | Description | Data type |
---|---|---|---|
Title | Yes | The title of the policy. The default value is |
string |
Description | No | A description of the policy. | string |
Authentication type (policy version 1.0.0 only) | Yes | The authentication type to use to validate the UsernameToken. Valid values:
Authentication URL . |
string |
Authentication URL (policy version 1.0.0 only) | Yes | The authentication URL to use to validate the UsernameToken user credentials against. Note: This property is required only if Authentication type is set to
Authentication URL . |
string |
TLS profile (policy version 1.0.0 only) | No | The TLS profile to use for the secure transmission of data to the authentication URL. Note: This property is available only if Authentication type is set to
Authentication URL . |
string |
LDAP registry name (policy version 1.0.0 only) | Yes | The name of the LDAP user registry to validate the UsernameToken user credentials against. You can select a name from the drop-down list, or type a name manually. Note: This property is required only if Authentication type is set to
LDAP registry . |
string |
User Registry Name (policy version 1.1.0 and later) | Yes | Select the LDAP or Authentication URL registry to use to validate the UsernameToken. | string |
LDAP search attribute1 | Yes | The name of the LDAP user password attribute. Note: This property is required only for an LDAP
user registry.
|
string |
Examples
- validate-usernametoken:
version: 1.0.0
title: "validate-usernametoken"
auth-type: "LDAP Registry"
ldap-registry: "wstest"
ldap-search-attribute: "userPassword"
- validate-usernametoken:
version: 1.0.0
title: "validate-usernametoken"
auth-type: "Authentication URL"
auth-url: "https://www.google.com"
tls-profile: "default-ssl-profile"
Errors
The policy returns an HTTP 200 status code when successful, and the input payload is copied to the output flow. For all failure types the policy returns an HTTP 500 status code, and the output contains the SOAP fault.
- Ensure Search (DN) is set as the communication method.
- Ensure Authenticated Bind is set so that specific permissions are required to search the registry.
- Ensure the Admin DN and Password fields are correctly completed for the Distinguished Name (DN) of a user authorized to carry out searches in the LDAP directory.
- Ensure that a combination of Base DN, Prefix, and
Suffix are set, such that they fully describe the user DN. For example:
- For a user named:
cn=alice
,dc=ibm
,dc=com
where the user DN is calculated as: Prefix + BaseDN + Suffix.BaseDN: dc=ibm Prefix: cn=alice Suffix: dc=com
- For a user named: