API Gateway 10.11 | Using API Gateway | Policies | System-defined Stages and Policies | Identify and Access
 
Identify and Access
 
Inbound Auth - Message
Authorize User
Identify & Authorize
The policies in this stage provide different ways of identifying and authorizing the application, and provide the required access rights for the application. The policies included in this stage are:
*Inbound Auth - Message
*Authorize User
*Identify & Authorize
*Custom Extension
The Inbound authentication policies are used to authenticate the application by specifying user-based SPN or host-based SPN for a Kerberos token, using the basic credentials for the HTTP basic authentication or through various token assertions or through the XML security actions.
The Authorize User policy authorizes the application against a list of users and a list of groups registered in API Gateway.
The Identify & Authorize policy is used to identify the application, authenticate the request based on policy configured and authorizes it against all applications registered in API Gateway.
Custom Extension policies allow you to handle requirements that might not be provided by the out-of-the-box policies. You can add these custom extensions into API Gateway policy stages. To learn more about Custom Extension, see Custom Policy Extension.
Note:
From API Gateway 10.3, the Identification and Authentication policies are merged into one and you would not be able to do identification alone for Basic Authentication. You must provide the right credentials for a successful invoke.