Outbound Auth - Message

Edit online

When the native API is protected and expects the authentication credentials to be passed through payload message, you can use this policy to provide the credentials that is added to the request and sent to the native API. webMethods API Gateway supports a wide range of authentication schemes, such as WSS Username, SAML, and Kerberos, in addition to signing and encryption at the message-level.

Note:
  • Message-level authentication can be used to secure outbound communication of only SOAP APIs.
  • If the WSDL used to create the SOAP API includes ws:Policy elements, the system considers those entries for outbound authentication. Otherwise, the specified parameters within the Outbound Auth - Message policy will take effect.
  • If the WSDL used to create the SOAP API contains ws:Policy elements and the Outbound Auth - Message policy is not specified, then the ws:Policy elements have no effect. The ws:Policy elements are not exposed when the WSDL is retrieved from webMethods API Gateway.
The table lists the properties that you can specify for this policy:
Property Description
Authentication scheme Select one of the following schemes for outbound authentication at the message level:
  • WSS username. Uses WSS credentials authenticate the client.
  • SAML. Uses SAML issuer configuration details for authentication.
  • Kerberos. Uses Kerberos credentials for authentication.
  • None. Authenticates the client without any authentication schemes.
  • Alias. Uses the configured alias name for authentication.
  • Remove WSS headers. Uses the WSS headers for authentication.
Authenticate using Select one of the following modes to authenticate the client:
  • Custom credentials. Uses the values specified in the policy to obtain the required token to access the native service.
  • Incoming HTTP Basic Auth credentials. Uses the incoming user credentials to retrieve the authentication token to access the native API
  • Delegate incoming credentials. Uses the values specified in the policy by the API providers to select whether to delegate the incoming token or act as a normal client.
WSS username Uses the WSS credentials to authenticate the client.
Provide the following credentials:
  • User Name. Specifies the user name.
  • Password. Specifies the password of the user.
Kerberos Uses the Kerberos credentials to authenticate the client.

Provide the following information:

  • Client principal. Provide a valid client LDAP user name.
  • Client password. Provide a valid password of the client LDAP user.
  • Service principal. Provide a valid SPN. The specified value is used by the client to obtain a service ticket from the KDC server.
  • Service Principal Name Form. The SPN type to use while authenticating an incoming client principal name. Select any of the following:
    • User name. Specifies the username form.
    • Hostbased. Specifies the host form.
SAML Provide the SAML issuer that is configured.
Signing Configurations Uses the signing configuration details to authenticate the client.

Provide the following information:

  • Keystore Alias. Specifies a user-specified text identifier for an webMethods API Gateway keystore. The alias points to a repository of private keys and their associated certificates.
  • Key Alias. Specifies the alias for the private key, which must be stored in the keystore specified by the keystore alias.
Encryption Configurations Uses the encryption configuration details to authenticate the client.

Provide the following information:

  • Truststore alias. Specifies the alias for the truststore. The truststore contains the trusted root certificate for the CA that signed the webMethods API Gateway certificate associated with the key alias.
  • Certificate alias. Provide a text identifier for the certificate associated with the truststore alias. webMethods API Gateway populates the certificate alias list with the certificate aliases from the selected truststore alias.
Alias Uses the configured alias to authenticate the client. Provide the name of the configured alias.
Stage Specify a stage, if you want the configuration to be applicable to a specific stage.

When you configure an API with an inbound authentication policy, and a client sends a request with credentials, webMethods API Gateway uses the credentials for the inbound authentication. When sending the request to native server, webMethods API Gateway removes the already authenticated credentials when no outbound authentication policy is configured.

If as an API provider you want to use the same credentials for authentication at both webMethods API Gateway and native server, you should configure the outbound authentication policy to pass the incoming credentials to the native service. If you do not configure an outbound authentication policy, webMethods API Gateway removes the incoming credentials, as it is meant for webMethods API Gateway authentication only.

However, when both the inbound authentication policy and outbound authentication policy are not configured, webMethods API Gateway just acts as a proxy and forwards the credentials to the native service. Since the credentials are not meant for webMethods API Gateway (as no inbound auth policy is configured), webMethods API Gateway forwards the credentials to native service (unless there are different settings configured in outbound authentication policy, for example, custom credentials or Anonymous).