Outbound Auth - Transport

Edit online

When the native API is protected and expects the authentication credentials to be passed through transport headers, you can use this policy to provide the credentials that will be added to the request and sent to the native API. API Gateway supports a wide range of authentication schemes, such as Basic Authentication, Kerberos, NTLM, and OAuth, at the transport-level.

Note: Transport-level authentication can be used to secure inbound communication of both the SOAP APIs and the REST APIs.
The table lists the properties that you can specify for this policy:
Property Description
Authentication scheme Select one of the following schemes for outbound authentication at the transport level:
  • Basic. Uses basic HTTP authentication details to authenticate the client.
  • Kerberos. Uses Kerberos credentials for authentication.
  • NTLM. Uses NTLM configuration for authentication.
  • OAuth2. Uses OAuth token details to authenticate the client.
  • JWT. Uses JSON web token details to authenticate the client.
  • Anonymous. Authenticates the client without any credentials.
  • Alias. Uses the configured alias name for authentication.
Authenticate using Select one of the following modes to authenticate the client:
  • Custom credentials. Uses the values specified in the policy to obtain the required token to access the native API.
  • Delegate incoming credentials. Uses the values specified in the policy by the API providers to select whether to delegate the incoming token or act as a normal client.
  • Incoming HTTP Basic Auth credentials. Uses the incoming user credentials to retrieve the authentication token to access the native API.
  • Incoming kerberos credentials. Uses the incoming kerberos credentials to access the native API.
  • Incoming OAuth token. Uses the incoming OAuth2 token to access the native API.
  • Incoming JWT. Uses the incoming JSON Web Token (JWT) to access the native API.
  • Transparent. Enables NTLM handshake between client and native API. API Gateway does not perform any authentication before passing the incoming requests to native API. It simply passes the incoming credentials to native API. The NTLM authentication happens at the native API.
Basic Uses the HTTP authentication details to authenticate the client.
API Gateway supports the following modes of HTTP authentication:
  • Custom credentials
  • Incoming HTTP Basic Auth credentials
Provide the following credentials:
  • User Name. Specifies the user name.
  • Password. Specifies the password of the user.
  • Domain . Specifies the domain in which the user resides.
Kerberos Uses the Kerberos credentials to authenticate the client.
API Gateway supports the following modes of Kerberos authentication:
  • Custom credentials
  • Delegate incoming credentials
  • Incoming HTTP basic auth credentials
  • Incoming kerberos credentials

Provide the following credentials:

  • Client principal. Provide a valid client LDAP user name.
  • Client password. Provide a valid password of the client LDAP user.
  • Service principal. Provide a valid SPN. The specified value is used by the client to obtain a service ticket from the KDC server.
  • Service Principal Name Form. The SPN type to use while authenticating an incoming client principal name. Select any of the following:
    • User name. Specifies the username form.
    • Hostbased. Specifies the host form.
NTLM Uses the NTLM credentials to authenticate the client.
API Gateway supports the following modes of NTLM authentication:
  • Custom credentials
  • Incoming HTTP basic auth credentials
  • Transparent
Provide the following credentials:
  • User Name. Specifies the user name.
  • Password. Specifies the password of the user.
  • Domain . Specifies the domain in which the user resides.
OAuth2 Uses the OAuth2 token to authenticate the client.
API Gateway supports the following modes of NTLM authentication:
  • Custom credentials
  • Incoming OAuth token

OAuth2 token. Specifies the client's OAuth2 token.

JWT Uses the JSON Web Token (JWT) to authenticate the client.

If the native API is enforced to use JWT for authenticating the client, then API Gateway enforces the need for a valid JWT in the outbound request while accessing the native API.

API Gateway supports the Incoming JWT mode of JWT authentication.

Alias Uses the configured alias to authenticate the client. Provide the name of the configured alias.

When you configure an API with an inbound authentication policy, and a client sends a request with credentials, API Gateway uses the credentials for the inbound authentication. When sending the request to native server, API Gateway removes the already authenticated credentials when no outbound authentication policy is configured.

If as an API provider you want to use the same credentials for authentication at both API Gateway and native server, you should configure the outbound authentication policy to pass the incoming credentials to the native service. If you do not configure an outbound authentication policy, API Gateway removes the incoming credentials, as it is meant for API Gateway authentication only.

However, when both the inbound authentication policy and outbound authentication policy are not configured, API Gateway just acts as a proxy and forwards the credentials to the native service. Since the credentials are not meant for API Gateway (as no inbound auth policy is configured), API Gateway forwards the credentials to native service (unless there are different settings configured in outbound authentication policy, for example, custom credentials or Anonymous).