Client application authentication

You use service credentials to authenticate a client application when it calls a Content Analyzer service that is running in Business Automation Content Analyzer on Cloud.

Business Automation Content Analyzer on Cloud provides two options for authentication:

  • User accounts: These accounts provide credentials that users enter to sign in to the cloud portal and its components. While client applications can also login credentials of user accounts, this practice is not recommended because user passwords and any applications that use them must be updated regularly.
  • Service credentials: These accounts provide credentials for authenticating calling applications. They include an ID that is associated with a function, and a highly secure password. Because of its high security, the password does not require regular updates and is well suited for authenticating client applications.

Because service credentials are linked to functions, and not to real users, they do not have to be changed when a user leaves a project or a company. SAML users, who log in to the cloud portal through the login systems of their organizations must use service credentials for applications that need to authenticate with the cloud.

Service credential basics

Service credentials comply with basic authentication. They use a functional ID for the user name, and a long, machine-generated password to foil brute force attacks by hackers, for example:

  • Functional ID: apiuser.fid@t4000
  • Password: 8xcFS9OS60EGcvj0coppPDH9+/iBx9aDrjhD8zwn

When you create a set of service credentials, you enter an alias (for example, apiuser). The cloud service generates a functional ID from the alias by adding an extension that stands for functional ID (fid) and your instance of the cloud portal (t4000).

Note:

Important points: Service credentials are only used to authenticate calling applications. They have no cloud role, and cannot be used by a user to log in to the cloud portal. If you try to log in by using service credentials, you get an error message: A functional user is not allowed to perform this operation.

  • Only cloud portal administrators can create service credentials. The administrators give the service credentials to the developers of the client applications.
  • You cannot update an existing set of service credentials. You must replace the set with another set.
  • You cannot use the same alias in more than one set of service credentials. You must delete the first set before you can create another set that uses the same alias.
  • When you delete a set of service credentials, the cloud portal no longer recognizes it. The client application needs a new set to connect to the cloud portal.