Separate REST API channel access
It is preferred to separate REST client access from traditional browser channel client access. The idea here is to enable separation of configuration options that might conflict with browser and REST API client access.
If possible, expose a separate reverse proxy instance. Minimally, create a junction that is separate to the default /mga junction and enables access to the/apiauthsvc endpoint. Example junction settings are as follows:
- Junction Point Name: /mgaapi
- Stateful Junction: true/enabled
- Junction type: SSL
- Servers: The runtime host and port where Advanced Access Control run time is running. If the reverse proxy and AAC are colocated, then localhost:443 can be set.
- HTTP Basic Authentication Header: Filter
- HTTP Header Identity information: 'IVUSER', 'IVGROUPS', 'IVCREDS'
- HTTP Header Encoding: UTF8 URI Encoded
- Insert client IP address: true/enabled
Access control lists (ACLs) are configured when the isamcfg utility is run. All of these ACLs are prefixed with "isam_mobile". Unauthenticated access can be enabled for the /apiauthsvc endpoint by attaching the "isam_mobile_rest_unauth" ACL to the /WebSEAL/<instance name>/mgaapi/sps/apiauthsvc. If needed, this endpoint can be protected with the "isam_mobile_rest" authenticated ACL. In most cases, configure this endpoint to require authenticated access unless unauthenticated access is required. It depends on whether authentication policy is being triggered from an already authenticated or unauthenticated state.