Microgateway 10.5 | webMethods Microgateway Help | Policies | Identify and Access | Identify and Authorize Application
 
Identify and Authorize Application
 
Application Synchronization to support Identity and Access Management Policy
This policy authorizes and allows the client applications to access APIs depending on the identification type specified to validate the client credentials.
The table lists the parameters of this policy and how Microgateway applies them to validate the client credentials and authorize the client application to access the APIs.
Parameter
Description
Condition
The condition operator for the identification and authentication types specified for validating the client credentials.
Select one of the following condition operators:
*AND. Applies all the identification and authentication types.
*OR. Applies one of the specified identification and authentication types.
Allow anonymous
Enable or disable the incoming requests to access the API without any restriction.
When you enforce a security policy and select Allow anonymous, Microgateway allows all incoming requests to pass through to the native API. The successfully identified requests are grouped under the respective identified application, and all unidentified requests are grouped under a common application named unknown.
Even when all the incoming requests are allowed to pass through without any restriction you can perform all application-specific actions, such as:
*Viewing the runtime events for a particular application.
*Monitoring the service level agreement for a few applications and sending an alert email based on some criteria like request count or availability.
*Throttling the incoming requests from a particular application and not allowing the request from that application if the number of requests reach the configured hard limit within the configured interval.
Identification Type. Specifies the identification type. You can configure one or more of the following identification types.
API Key
Denotes using the API key to identify and validate the authenticity of the client's identity against the registered applications for the specified API.
Hostname Address
Denotes using the host name to identify the client, extract the client's host name from the HTTP request header, and verify the client's identity against the specified applications in Microgateway.
Configure one of the following Application Lookup conditions to verify the client's identity:
*Registered applications. Verifies the client's hostname against a list of registered applications for the specified API.
*Global applications. Verifies the client's hostname against a list of global applications.
*Global applications and DefaultApplication. Identifies an application against a list of global applications. If the application is not identified, Microgateway sets this application to DefaultApplication and forwards the request to the native service.
HTTP Basic Authentication
Denotes using the Authorization request header to identify and authorize the client application against the specified applications in Microgateway that have the identifier username or access profiles.
Configure one of the following Application Lookup conditions to verify the client's identity:
*Registered applications. Verifies the client's credentials against the list of registered applications for the specified API.
*Global applications. Verifies the client's credentials against a list of global applications.
*Global applications and DefaultApplication. Identifies an application against a list of global applications. If the application is not identified, Microgateway sets this application to DefaultApplication and forwards the request to the native service.
IP Address Range
Denotes using the IP address range to identify the client, extract the client's IP address from the HTTP request header, and verify the client's identity against the specified applications in Microgateway.
Configure one of the following Application Lookup conditions to verify the client's identity:
*Registered applications. Verifies the client's credentials against a list of registered applications for the specified API.
*Global applications. Verifies the client's credentials against a list of global applications.
*Global applications and DefaultApplication. Identifies an application against a list of global applications. If the application is not identified, Microgateway sets this application to DefaultApplication and forwards the request to the native service.
OAuth2 Token
Denotes using the OAuth2 token to identify the client, extract the client's credentials from the OAuth2 token, and verify the client's identity against the specified list of applications in Microgateway.
The tokens issued by API Gateway are validated by delegating them to the API Gateway instance. Configure the communication details that are used by Microgateway to introspect the API Gateway-issued OAuth2 tokens. For details on how to configure the communication details, see webMethods API Gateway User's Guide.
Note:
The client id and other parameters can be used for further processing using the request transformation policy.
JWT
Denotes using the JSON Web Token (JWT) to identify the client, extract the claims from the JWT and validate the client's claims, and verify the client's identity against the specified applications in Microgateway.
Configure one of the following Application Lookup conditions to verify the client's identity:
*Registered applications. Verifies the JWT against a list of registered applications for the specified API.
*Global applications. Verifies the JWT against a list of global applications.
*Global applications and DefaultApplication. Identifies an application against a list of global applications. If the application is not identified, Microgateway sets this application to DefaultApplication and forwards the request to the native service.
Note:
The claims in the JWT can be used for further processing using the request transformation policy.
OpenID Connect
Denotes using the OpenID (ID) token to identify the client, extract the client's credentials from the ID token, and verify the client's identity against the specified list of applications in Microgateway.
You might have one of the following Application Lookup conditions to verify the client's identity:
*Registered applications. Verifies the ID token against a list of registered applications for the specified API.
*Global applications. Verifies the ID token against a list of global applications.
*Global applications and DefaultApplication. Identifies an application against a list of global applications. If the application is not identified, Microgateway sets this application to DefaultApplication and forwards the request to the native service.
Note:
The client id and other parameters can be used for further processing using the request transformation policy.
SSL Certificate
Denotes using the SSL certificate to identify the client, extract the client's identity certificate, and verify the client's identity (certificate-based authentication) against the specified applications in Microgateway.
Whenever both SSL certificate and custom header certificate are present, the identification is done using the SSL certificate. When the identification fails for the certificate obtained from SSL handshake, the identification using the certificate from the custom header is done.
Microgateway extracts the client certificate that is used to identify the client from the request header. The certificate passed in the header should be Base64Encoded or the certificate chain passed in the header should be in the Base64Encoded (.pem) format.
If the transport protocol is HTTP or HTTPS, Microgateway checks for the existence of a header and fetches the certificate from the certificate header.
If the certificate is from the custom header, Microgateway does not check the validity of the certificate and identifies the application using the certificate.
Note:
Software AG recommends that an external entity validates the certificate sent in the custom header.
During asset provisioning at Microgateway start up, the header name is included in the system-settings.yml file. You can customize the header name by modifying the value and including it in the user-defined custom settings YAML file.
Configure one of the following Application Lookup conditions to verify the client's identity:
*Registered applications. Verifies the client certificate against a list of registered applications for the specified API.
*Global applications. Verifies the client certificate against a list of global applications.
*Global applications and DefaultApplication. Identifies an application against a list of global applications. If the application is not identified, Microgateway sets this application to DefaultApplication and forwards the request to the native service.
Payload Element
Denotes using the payload identifier to identify the client, extract the custom authentication credentials supplied in the request represented using the payload identifier, and verify the client's identity against the specified applications in Microgateway.
Configure one of the following Application Lookup conditions to verify the client's identity:
*Registered applications. Verifies the client's payload identifier against a list of registered applications for the specified API.
*Global applications. Verifies the client's identity credentials against a list of global applications.
*Global applications and DefaultApplication. Identifies an application against a list of global applications. If the application is not identified, Microgateway sets this application to DefaultApplication and forwards the request to the native service.
In the Payload identifier section, provide the following information:
*Expression type: Specifies the type of expression that is used for identification. Use one of the following expression types:
*XPath. Contains the following information:
*Payload Expression. The payload expression to which to convert the specified expression type in the request.
For example: /name/id
*Namespace Prefix. The namespace prefix of the payload expression to be validated.
*Namespace URI. The namespace URI of the payload expression to be validated.
*JSONPath. Specifies the JSONPath for the payload identification.
For example: $.name.id
*Text. Specifies the regular expression for the payload identification.
You can have multiple payload identifiers. However, only one payload of each type is allowed. For example, you can have a maximum of three payload identifiers, each being of a different type.