Software AG Products 10.5 | Administering Integration Server | Configuring OAuth | Using an External Authorization Server | Creating an External Authorization Server Alias
 
Creating an External Authorization Server Alias
If you want an Integration Server functioning as a resource server to use a third party server as the authorization server, you must create an external authorization server alias.
*To create an external authorization server alias
1. Open the Integration Server Administrator if it is not already open.
2. In the Security menu of the Navigational Panel, click OAuth.
3. Click Add External Authorization Server.
4. Under External Authorization Server Settings, provide the following information.
Field
Description
Name
Alias for the external authorization server. The following characters are prohibited: ? [ ] / \ = + < > : ; " , * | ^ @
Introspection Endpoint
The URL of the introspection endpoint for the external authorization server. Integration Server uses the introspection endpoint to determine if access tokens used in client requests are currently active.
Client Id
The ID of the user account that Integration Server uses when sending requests to the introspection endpoint of the external authorization server.
Client Secret
The password for the user account that Integration Server uses when sending requests to the introspection endpoint of the external authorization server.
User
The Integration Server user account that Integration Server uses to execute the client request. If the client is requesting a service, this is the user account that Integration Server uses to execute the service, which occurs after Integration Server calls the introspection endpoint. If the client is requesting a file, this is the user account that Integration Server uses to access the file.
The User value is used only if the introspection endpoint of the external authorization server indicates that the access token is currently active.
Click to search for and select your user. A user can be selected from the local or central directory.
Keystore Alias (optional)
The alias of the keystore on Integration Server  that holds the digital certificate that Integration Server sends to the external authorization server during the mutual (two-way) SSL handshake. You need to select a keystore alias only when the client account on the external authorization server is configured to use mutual (two-way) SSL.
Key Alias (Optional)
The alias of the Integration Server private key and associated digital certificate that Integration Server sends to the external authorization server during the mutual (two-way) SSL handshake. You need to select a key alias only when the client account on the external authorization server is configured to use mutual (two-way) SSL.
Truststore Alias (Optional)
The alias of the truststore on Integration Server that holds the Certificate Authority (CA) certificate of the external authorization server. You need to select a truststore alias only when all of the following are true:
*The client account on the external authorization server is configured to use mutual (two-way) SSL, and
*The authorization server’s Certificate Authority certificate is not in the set of well-known authorities trusted by the JVM in which Integration Server runs, and
*The watt.security.cert.wmChainVarifier.trustByDefault property is set to false.
Default Scope
Default scope that takes effect when no scope is explicitly stated in the response from the external authorization server's introspection endpoint. Enter the scope values in this field exactly as they are defined on the external authorization server.
When responses from an external authorization server's introspection endpoint do not return a scope value and a Default Scope is not specified, Integration Server considers requests bearing the access token from the authorization server to be out of scope and rejects the requests with a 401 response.
5. Click Save.
Integration Server Administrator displays the new external authorization server alias under External Authorization Servers on the Security > OAuth page.