webMethods and Intelligent Business Operations 10.2 | API Gateway User's Guide | Policies | System-defined Stages and Policies | Identify and Access | Inbound Authentication - Transport
 
Inbound Authentication - Transport
An API Provider can use this policy to enforce authentication on the API. When this policy is configured for an API, API Gateway expects the clients to pass the authentication credentials through the transport headers that will be added to the request and sent to the native API. API Gateway supports the HTTP basic and Kerberos authentication schemes at the transport-level.
Note: Transport-level authentication can be used to secure inbound communication of both the SOAP APIs and the REST APIs.
The table lists the properties that you can specify for this policy:
Property
Description
Kerberos Token Authentication
Specifies that a Kerberos token is required when a client application accesses an API enforced with the Kerberos authentication policy.
Prerequisites:
*You must have the Key Distribution Center (KDC) configured in Integration Server (go to Security > Kerberos).
*You must have the Kerberos settings configured in API Gateway (go to <Username> > Administration > Security > Kerberos).
API Gateway extracts the Kerberos token from the transport authorization header and validates the token with the KDC using SPN credentials configured by the provider for the API. If the Kerberos token sent by the client is valid, API Gateway forwards the request to the native API and the response to the client.
Provide the following information:
*Service Principal Name. Specifies a valid SPN, which is the name type to use while authenticating an incoming client principal name. The specified value is used by the client or the server to obtain a service ticket from the KDC server.
Note: API Gateway supports the username format for Service Principal Names (SPNs). This format represents the principal name as a named user defined in LDAP used for authentication to the KDC.
*Service Principal Password. Specifies a valid password of the SPN user or the SPN host.
HTTP Basic Authentication
Specifies using the HTTP authentication mechanism to validate incoming requests from clients. API Gateway authorizes the credentials (username and password) against a list of all users available in API Gateway.
OpenID Authentication
Specifies that an OpenID (ID) Token is required when a client application accesses an API enforced with the OpenID authentication policy.
API Gateway extracts the ID token from the transport authorization header and validates the token with the claims configured in the application that is requesting access for the API. If the ID token sent by the client is valid, API Gateway forwards the request to the native API and the response to the client.
JWT Authentication
Specifies that a JSON Web Token (JWT) is required when a client application accesses an API enforced with the JWT authentication policy.
API Gateway extracts the JWT from the transport authorization header and validates the token using a public certificate that was specified in the JWT configuration. If the JWT sent by the client is valid, API Gateway forwards the request to the native API and the response to the client.

Copyright © 2015- 2018 | Software AG, Darmstadt, Germany and/or Software AG USA, Inc., Reston, VA, USA, and/or its subsidiaries and/or its affiliates and/or their licensors.
Innovation Release