Parameter | Description |
Condition | Specifies the condition operator for the identification and authentication types. Select any of the following condition operators: AND. Applies all the identification and authentication types. OR. Applies one of the selected identification and authentication types. Note: Even though this policy provides the option of choosing an AND or OR operation between the different identification and authentication types, the operation across the different policies in the IAM stage is always AND. For example, configuring the Identify and Authorize Application policy with API Key and the Inbound Authentication - Transport policy with HTTP Basic Authentication using an OR operation is not supported. |
Allow anonymous | Specifies whether to allow all users to access the API without restriction. When you add a security policy and configure Allow anonymous, all requests are allowed to pass through to the native API, but the successfully identified requests are grouped under the respective identified application, and all unidentified requests are grouped under a common application named unknown. While you allow all requests to pass through you can perform all application-specific actions, such as, viewing the runtime events for a particular application, monitor the service level agreement for a few applications and send an alert email based on some criteria like request count or availability, and throttle the requests from a particular application and not allow the request from that application if the number of requests reach the configured hard limit within configured period of time. |
Identification Type. Specifies the identification type. You can select any of the following. | |
API Key | Specifies using the API key to identify and validate the client's API key to verify the client's identity in the registered list of applications for the specified API. |
Hostname Address | Specifies using host name address to identify the client, extract the client's hostname from the HTTP request header and verify the client's identity in the specified list of applications in API Gateway. Select one of the Application Lookup condition: Registered applications. Tries to verify the client's hostname against a list of registered applications for the specified API. Global applications. Tries to verify the client's hostname against a list of all global applications available in API Gateway. Global applications and DefaultApplication. Tries to identify an application. If the application is not identified, API Gateway sets this application to DefaultApplication and forwards the request to the native service. Note: If JMS is selected as the entry protocol policy, extract the client's hostname from the X-Forwarded-For JMS message property. |
HTTP Basic Authentication | Specifies using Authorization Header in the request to identify and authorize the client application against the list of applications with the identifier username in API Gateway. Provide the following information: Select one of the Application Lookup condition: Registered applications. Tries to verify the client's credentials against the list of registered applications for the specified API. Global applications. Tries to verify the client's credentials against a list of all global applications available in API Gateway. Global applications and DefaultApplication. Tries to identify an application. If the application is not identified, API Gateway sets this application to DefaultApplication and forwards the request to the native service. Note: You can use the username for further processing using the request transformation policy. |
IP Address Range | Specifies using the IP address range to identify the client, extract the client's IP address from the HTTP request header, and verify the client's identity against the specified list of applications in API Gateway. Select one of the Application Lookup condition: Registered applications. Tries to verify the client's credentials against a list of registered applications for the specified API. Global applications. Tries to verify the client's credentials against a list of all global applications available in API Gateway. Global applications and DefaultApplication. Tries to identify an application. If the application is not identified, API Gateway sets this application to DefaultApplication and forwards the request to the native service. Note: If JMS is selected as the entry protocol policy, extract the client's IP address from the X-Forwarded-For JMS message property. |
JWT | Specifies using the JSON Web Token (JWT) to identify the client, extract the claims from the JWT and validate the client's claims, and verify the client's identity against the specified list of applications in API Gateway. Select one of the Application Lookup condition: Registered applications. Tries to verify the JWT against a list of registered applications for the specified API. Global applications. Tries to verify the JWT against a list of all global applications available in API Gateway. Global applications and DefaultApplication. Tries to identify an application. If the application is not identified, API Gateway sets this application to DefaultApplication and forwards the request to the native service. Note: You can use the claims in the JWT for further processing using request transformation policy. |
Kerberos Token | Specifies using the Kerberos token to identify the client, extract the client's credentials from the Kerberos token, and verify the client's identity against the specified list of applications in API Gateway. Note: You have to enforce the Inbound Authentication - Message policy with the property, Kerberos Token Authentication, configured, so when Identify and Authorize Application policy is executed, the user details fetched are used to match with application's data to identify the application. Select one of the Application Lookup condition: Registered applications. Tries to verify the Kerberos token against a list of registered applications for the specified API. Global applications. Tries to verify the Kerberos token against a list of all global applications available in API Gateway. Global applications and DefaultApplication. Tries to identify an application. If the application is not identified, API Gateway sets this application to DefaultApplication and forwards the request to the native service. Note: You can use the username for further processing using the request transformation policy. |
OAuth2 Token | Specifies using the OAuth2 token to identify the client, extract the client's credentials from the HTTP request header, and verify the client's identity against the specified list of applications in API Gateway. Note: You can use the client id and other parameters for further processing using the request transformation policy. |
OpenID Connect | Specifies using the OpenID (ID) token to identify the client, extract the client's credentials from the ID token, and verify the client's identity against the specified list of applications in API Gateway. Select one of the Application Lookup condition: Registered applications. Tries to verify the ID token against a list of registered applications for the specified API. Global applications. Tries to verify the ID token against a list of all global applications available in API Gateway. Global applications and DefaultApplication. Tries to identify an application. If the application is not identified, API Gateway sets this application to DefaultApplication and forwards the request to the native service. Note: You can use the client id and other parameters for further processing using the request transformation policy. |
SSL Certificate | Specifies using the SSL certificate to identify the client, extract the client's identity certificate, and verify the client's identity (certificate-based authentication) against the specified list of applications in API Gateway. The client certificate that is used to identify the client is supplied by the client to API Gateway during the SSL handshake over the transport layer or is added in the header of the request. The certificate passed in the header should be Base64Encoded or the certificate chain passed in the header should be Base64Encoded .pem format. If the transport protocol is HTTP then API Gateway checks for the existence of a header and fetches the certificate from the certificate header. If the certificate is coming from the custom header, then API Gateway does not check the validity of the certificate. API Gateway identifies the application using the certificate. The certificate should be validated by some external entity before sending it to API Gateway in a custom header. If the transport protocol is HTTPS then API Gateway first tries to identify the application based on the certificate exposed by the client during the SSL handshake. If there is no client certificate or the identification based on the client certificate fails API Gateway tries to identify based on the certificate provided in the header. The header name is customizable and can be customized in the extended settings property, customCertificateHeader, the default value being X-Client-Cert. Select one of the Application Lookup condition: Registered applications. Tries to verify the client certificate against a list of registered applications for the specified API. Global applications. Tries to verify the client certificate against a list of all global applications available in API Gateway. Global applications and DefaultApplication. Tries to identify an application. If the application is not identified, API Gateway sets this application to DefaultApplication and forwards the request to the native service. |
WS Security Username Token | This is applicable only for SOAP APIs. Specifies using the WS security username token to identify the application, extract the client's credentials (username token and password) from the WSSecurity SOAP message header, and verify the client's identity against the specified list of applications in API Gateway. Note: You have to enforce the Inbound Authentication - Message policy with the property, Require WSS Username token, configured, so when Identify and Authorize Application policy is executed, the user details fetched are used to match with application's data to identify the application. Select one of the Application Lookup condition: Registered applications. Tries to verify the client's WSS username token against a list of registered applications for the specified API. Global applications. Tries to verify the client's WSS username token against a list of all global applications available in API Gateway. Global applications and DefaultApplication. Tries to identify an application. If the application is not identified, API Gateway sets this application to DefaultApplication and forwards the request to the native service. Note: You can use the username for further processing using the request transformation policy. |
WS Security X.509 Certificate | This is applicable only for SOAP APIs. Specifies using the WS security X.509 certificate to identify the client, extract the client identity certificate from the WS-Security SOAP message header, and verify the client's identity against the specified list of applications inAPI Gateway. Note: You have to enforce the Inbound Authentication - Message policy with the property, Require X.509 Certificate, configured, so when Identify and Authorize Application policy is executed, the user details fetched are used to match with application's data to identify the application. Select one of the Application Lookup condition: Registered applications. Tries to verify the client's X.509 certificate against a list of registered applications for the specified API. Global applications. Tries to verify the client's X.509 certificate against a list of all global applications available in API Gateway. Global applications and DefaultApplication. Tries to identify an application. If the application is not identified, API Gateway sets this application to DefaultApplication and forwards the request to the native service. |
Payload Element | Specifies using the payload identifier to identify the client, extract the custom authentication credentials supplied in the request represented using the payload identifier, and verify the client's identity against the specified list of applications in API Gateway. Select one of the Application Lookup condition: Registered applications. Tries to verify the client's OAuth access token against a list of registered applications for the specified API. Global applications. Tries to verify the client's identify credentials against a list of all global applications available in API Gateway. Global applications and DefaultApplication. Tries to identify an application. If the application is not identified, API Gateway sets this application to DefaultApplication and forwards the request to the native service. In the Payload identifier section, click Add payload identifier, provide the following information, and click Add. Expression type: Specifies the type of expression, which is used for identification. You can select one the following expression type: XPath. Provide the following information: Payload Expression. Specifies the payload expression that the specified expression type in the request has to be converted to. For example: /name/id Namespace Prefix. The namespace prefix of the payload expression to be validated. Namespace URI. The namespace URI of the payload expression to be validated. Note: You can add multiple namespace prefix and URI by clicking . JSONPath. Provide the JSONPath for the payload identification. For example, $.name.id Text. Provide the regular expression for the payload identification. For example, any valid regular expression. You can add multiple payload identifiers as required. Note: Only one payload identifier of each type is allowed. For example, you can add a maximum of three payload identifiers, each being of a different type. |