API Gateway 10.5 | Using API Gateway | Policies | System-defined Stages and Policies | Routing | Outbound Authentication - Message
 
Outbound Authentication - Message
When the native API is protected and expects the authentication credentials to be passed through payload message, you can use this policy to provide the credentials that is added to the request and sent to the native API. API Gateway supports a wide range of authentication schemes, such as WSS Username, SAML, and Kerberos, in addition to signing and encryption at the message-level.
Note:
Message-level authentication can be used to secure outbound communication of only SOAP APIs.
The table lists the properties that you can specify for this policy:
Parameter
Description
Authentication scheme
Select one of the following schemes for outbound authentication at the message level:
*WSS username. Uses WSS credentials authenticate the client.
*SAML. Uses SAML issuer configuration details for authentication.
*Kerberos. Uses Kerberos credentials for authentication.
*None. Authenticates the client without any authentication schemes.
*Alias. Uses the configured alias name for authentication.
*Remove WSS headers. Uses the WSS headers for authentication.
Authenticate using
Select one of the following modes to authenticate the client:
*Custom credentials. Uses the values specified in the policy to obtain the required token to access the native service.
*Incoming HTTP Basic Auth credentials. Uses the incoming user credentials to retrieve the authentication token to access the native API
*Delegate incoming credentials. Uses the values specified in the policy by the API providers to select whether to delegate the incoming token or act as a normal client.
WSS username
Uses the WSS credentials to authenticate the client.
Provide the following credentials:
*User Name. Specifies the user name.
*Password. Specifies the password of the user.
Kerberos
Uses the Kerberos credentials to authenticate the client.
Provide the following information:
*Client principal. Provide a valid client LDAP user name.
*Client password. Provide a valid password of the client LDAP user.
*Service principal. Provide a valid SPN. The specified value is used by the client to obtain a service ticket from the KDC server.
*Service Principal Name Form. The SPN type to use while authenticating an incoming client principal name. Select any of the following:
*User name. Specifies the username form.
*Hostbased. Specifies the host form.
SAML
Provide the SAML issuer that is configured.
Signing and Encryption Configurations
Uses the signing and encryption configuration details to authenticate the client.
Provide the following information:
*Keystore Alias. Specifies a user-specified text identifier for an API Gateway keystore. The alias points to a repository of private keys and their associated certificates.
*Key Alias. Specifies the alias for the private key, which must be stored in the keystore specified by the keystore alias.
*Truststore alias. Specifies the alias for the truststore. The truststore contains the trusted root certificate for the CA that signed the API Gateway certificate associated with the key alias.
*Certificate alias. Provide a text identifier for the certificate associated with the truststore alias. API Gateway populates the certificate alias list with the certificate aliases from the selected truststore alias.
Alias
Uses the Kerberos credentials to authenticate the client. Provide the name of the configured alias.
When you configure an API with an inbound authentication policy, and a client sends a request with credentials, API Gateway uses the credentials for the inbound authentication. When sending the request to native server, API Gateway removes the already authenticated credentials when no outbound authentication policy is configured.
If as an API provider you want to use the same credentials for authentication at both API Gateway and native server, you should configure the outbound authentication policy to pass the incoming credentials to the native service. If you do not configure an outbound authentication policy, API Gateway removes the incoming credentials, as it is meant for API Gateway authentication only.
However, when both the inbound authentication policy and outbound authentication policy are not configured, API Gateway just acts as a proxy and forwards the credentials to the native service. Since the credentials are not meant for API Gateway (as no inbound auth policy is configured), API Gateway forwards the credentials to native service (unless there are different settings configured in outbound authentication policy, for example, custom credentials or Anonymous).