User Security

Edit online

Use the User Security policy to extract a user's credentials, authenticate those credentials, and obtain authorization from the user.

Table 1. Table showing which gateways support this policy, and the corresponding policy version
Gateway Policy version
DataPower® API Gateway 2.0.0

This topic describes how to configure the policy in the assembly user interface; for details on how to configure the policy in your OpenAPI source, see user-security.

About

When you define an assembly user security action, you can define the processing for identity-extraction, authentication, and authorization or you can selectively disable any of these this aspects of processing. When disabled, this processing aspect is skipped.

When identity-extraction is enabled, the following methods are supported.
  • Use basic authentication, which requires no additional configuration.
  • Use context variables. For this method, specify which variable contains the user name and password.
  • Use a redirect. For this method, specify the URL fragment to redirect to, and the time allowed to process.
  • Use an HTML login form. For this method, specify whether to use the default or custom form and the time allowed to submit the form. For a custom form, specify the location of the form and the TLS client profile to secure the connection to the remote server.
When authentication is enabled, the following methods are supported.
  • Contact an LDAP server. For this method, specify which server to contact.
  • Send a request to an authentication endpoint. For this method, specify the URL of the endpoint, the TLS client profile to secure the connection, the pattern to select which response header to add, and the response header that contains the authenticated credentials.
When authorization is enabled, the following methods are supported.
  • Implicitly accept any previously authenticated users, which requires no additional configuration.
  • Use an HTML authorization form. For this method, specify whether to use the default or custom form and the time allowed to submit the form. For a custom form, specify the location of the form and the TLS client profile to secure the connection to the remote server.

You can attach this policy to the REST API flow.

Properties

The following table lists the policy properties, indicates whether a property is required, specifies the valid and default values for input, and specifies the data type of the values.

Table 2. User Security policy properties
Property label Required Description Data type
Title No The title of the policy.

The default value is user-security.

 string
Description No A description of the policy. string
Factor ID No The identity that identifies the results of factor-authentication in the API context. string
Extract Identity Settings Yes Select the method that is used to extract the user credentials. The following options are available:
Basic
Use basic authentication; no additional configuration is required.
Context Variable
The credentials are provided by API Connect context variables; specify the following properties:
  • Username content variable: the context variable that is used to obtain the user name.
  • password context variable: the context variable that is used to obtain the password.
HTML Form
Use forms based identity-extraction. Select whether to use the default form or a custom form. For a custom form, specify the following properties:
  • Custom form endpoint: the location of the form.
  • Custom form TLS profile: the TLS client profile that is used to secure the connection to the remote server.

In the HTML form time limit field, specify the time allowed to submit the form.

Redirect
Use a redirect for identity-extraction; specify the following properties:
  • Redirect URL: the URL fragment to which to redirect the request to obtain user credentials.
  • Redirect time limit: the time allowed for the transaction to complete.
Disabled
Identity-extraction is disabled; this aspect of processing is skipped.

Select Stop on error to halt assembly processing in the event of identity-extraction failure.

 string
Authenticate User Settings Yes Select the authentication method. The following options are available:
Authentication URL
The credentials are authenticated by an external endpoint; specify the following properties:
  • Authentication URL: the URL of the authentication endpoint.
  • Authentication TLS profile: the TLS client profile that is used to secure the connection to the authentication endpoint.
  • Authentication response header pattern: the pattern that is used to select which response headers to add to the API context.
  • Authentication response header credential: the response header that contains the authenticated user credentials.
LDAP
The credentials are authenticated by an LDAP user registry; from the LDAP registry list, select the required registry.
Disabled
Authentication is disabled; this aspect of processing is skipped.

Select Stop on error to halt assembly processing in the event of authentication failure.

 string
Authorize User Settings Yes Select the authorization method. The following options are available:
authenticated
Implicitly accept any previously authenticated users; no additional configuration is required.
HTML Form
The user provides authorization through an HTML form. Select whether to use the default form or a custom form. For a custom form, specify the following properties:
  • Custom form endpoint: the location of the form.
  • Custom form TLS profile: the TLS client profile that is used to secure the connection to the remote server.

In the Dynamic table entries field, enter the name of a context variable that specifies the scopes that are to be added automatically to the authorization consent form.

In the HTML form time limit field, specify the time allowed to submit the form.

Disabled
Authorization is disabled; this aspect of processing is skipped.

Select Stop on error to halt assembly processing in the event of authorization failure.

 string