Web-app Configuration Properties
These properties are not cluster-aware and, hence, you must manually copy them to all the nodes.
General properties
Location: SAG_root/profiles/IS_IS_Instance_Name/apigateway/config/uiconfiguration.properties
apigw.auth.priority
API Gateway supports both Form-based and SAML-based authentication. If both are enabled, this property decides the login page to be displayed, by default, when a user visits the login page http://host:port/apigatewayui. A user can go to a specific login page using:
Form:
http://host:port/apigatewayui/loginSAML:
http://host:port/apigatewayui/saml/sso/login Available values: Form, SAML.
Default value is Form.
apigw.auth.form.enabled
This property enables or disables Form-based authentication. If both SAML and Form are disabled, the value Form is retained by default.
Available values: true, false.
Default value is true.
apigw.auth.form.redirect
If a protected resource is accessed and the Form-based authentication is enabled, user is redirected to this page.
Default value is /login.
apigw.is.base.url
Host where the IS package is hosted. localhost is replaced by the hostname that is resolved through localhost.
Note:
The port changes to the default port of the Integration Server instance irrespective of HTTP or HTTPS.
Default value is http://localhost:port. Here, port denotes the port that is configured at the time of installation.
apigw.user.lang.default
This property denotes the language to be used in the API Gateway UI.
Default value is en (English).
apigw.is.timeout
This property denotes the user session timeout value in minutes.
Default value is 90.
SAML SSO properties
API Gateway user interface supports the following SAML values:
Profile: Web Browser SSO
Protocol: SAML Auth Request
Binding: HTTP Post
The value sent in the NameID is used as logged in user Id. In the absence of a NameID, the attribute value with http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn namespace is used for the user id.
The attribute value with http://schemas.microsoft.com/ws/2008/06/identity/claims/role or http://schemas.xmlsoap.org/claims/Group can be used to pass the roles. These roles can be one or more roles supported by API Gateway.
An alternative option is to send any roles and map those roles to one of the API Gateway roles. The mapping must be done in the saml_groups_mapping.xml file located at SAG_root/IntegrationServer/instances/IS_Instance_Name/packages/WmAPIGateway/config/resources/. The format is <group source="Some Role" target="API Gateway Role" />. Example <group source="API Managers" target="API-Gateway-Providers" /> .
You must then configure the SAG_root/IntegrationServer/instances/IS_Instance_Name/config/is_jaas.cnf file by replacing com.wm.app.b2b.server.auth.jaas.SamlOSGiLoginModule requisite; with com.softwareag.apigateway.auth.saml.APIGatewaySamlLoginModule requisite; and save the changes.
Configure the following properties, located at SAG_root/profiles/IS_IS_Instance_Name/apigateway/config/uiconfiguration.properties, to enable the SAML based SSO.
apigw.auth.saml.enabled
This property enables or disables SAML-based authentication.
Available values: true, false.
Default value is false.
apigw.auth.saml.redirect
Denotes the location of keystore. The keystore with self-signed certificates are shipped at SAG_root/profiles/IS_IS_Instance_Name/apigateway/config/keystore/saml_sso.jks. The keystore has 3 certificates with the following alias:
sign: the password is signapigw
encrypt: the password is encryptapigw
default: the password is defaultapigw
The password for keystore is apigwstore.
Default value is None.
apigw.auth.saml.keystore.type
Denotes the keystore type.
Available values: JKS, PKCS12.
Default value is JKS.
apigw.auth.saml.keystore.pwd
Denotes the keystore password. On starting the web-app, this password is moved to passman secure store located at SAG_root/profiles/IS_IS_Instance_Name/apigateway/config/passman and the handle is maintained as part of this property. Tampering with the handle results in exceptions.
Default value is None.
apigw.auth.saml.signkey.alias
This is the certificate alias used for signing the SAML authentication request.
Default value is None.
apigw.auth.saml.signkey.pwd
Denotes the password for the certificate alias. On starting the web-app, this password is moved to passman secure store and the handle is maintained as part of this property. Tampering with the handle results in exceptions.
Default value is None.
apigw.auth.saml.encrypkey.alias
Denotes the certificate alias to be used for encrypting the SAML authentication request.
Default value is None.
apigw.auth.saml.encrypkey.pwd
Password for certificate alias used for encrypting the SAML authentication request. On starting the web-app, this password is moved to passman secure store and the handle is maintained as part of this property. Tampering with the handle results in exceptions.
Default value is None.
apigw.auth.saml.defaultkey.alias
This alias is used for signing and encryption if sign and encryption related alias are missed.
Default value is None.
apigw.auth.saml.defaultkey.pwd
Denotes password for default key alias. On starting the web-app, this password is moved to passman secure store and the handle is maintained as part of this property. Tampering with the handle results in exceptions.
Default value is None.
apigw.auth.saml.authreq.signed
Denotes whether to send the signed SAML authentication request.
Available values: true, false.
Default value is true.
apigw.auth.saml.assertion.signed
Denotes whether we expect the signed assertion to be sent by the IDP.
Available values: true, false.
Default value is true.
apigw.auth.saml.sp.id
Denotes service provider identity which is sent as part of SAML authentication request.
Default value is Host name of localhost.
apigw.auth.saml.ldp.metadata.url
Denotes the file URL of IDP metadata. Consult your IDP documentation on how to generate one.
Default value is None.
apigw.auth.saml.sp.metadata.url
Denotes the file URL of Gateway metadata. You can get the content from http://host:port/apigatewayui/saml/sso/metadata
Default value is None.
Kibana
Location : SAG_root/profiles/IS_IS_Instance_Name/apigateway/config/uiconfiguration.properties
apigw.kibana.autostart
Decides whether kibana should be started as part of web-app.
Available values: true, false.
Default value is true.
apigw.kibana.url
Denotes the URL where Kibana is running. localhost is replaced by the hostname that is resolved through localhost. The port and other configurations of the kibana can be changed from SAG_root/profiles/IS_IS_Instance_Name/apigateway/kibana-4.5.1/config/kibana.yml
Default value is http://localhost:9405
apigw.es.url
Denotes the URL where Internal Data Store (HTTP) is running. localhost is replaced by the hostname that is resolved through localhost.
Default value is http://localhost:port
port denotes the Internal Data Store HTTP port configured during installation.
Note:
If the configured host resolves to the host name of the localhost, the port changes to the HTTP port configured in the SAG_root/InternalDataStore/config/elasticsearch.yml file.