Layer7 API Management

  • 1.  Authenticate Multiple Identity Providers with Digest Credentials

    Posted May 20, 2017 07:40 AM

    Hey,

     

    I am trying to authenticate users with Require WS-Security Password Digest Credentials Assertion assertion, however writing one assertion for each user seems not best practice to me. So, my questions:

    1) Is there any assertion or configuration of above assertion that enables to authenticate several users defined in internal identity providers? (Digest is crucial for me in any solution.)

    2)  What is the correct way of using ${secpass.*.plaintext} ? I tried this directly for one of the username defined in the internal identity providers, but authentication did not success. If there is no way of authenticating internal identity providers or group of IIPs with single assertion(1st question), at least password should not be seen as plaint text inside of the assertion.

     

    Thanks in advance,

     

    #digest #iip  #wss



  • 2.  Re: Authenticate Multiple Identity Providers with Digest Credentials
    Best Answer

    Posted Mar 02, 2018 05:29 AM

    Hi

    1. That is exactly the answer I am currently looking for. Unfortunately I have not found it yet.
    2. The variable ${secpass.*.plaintext} references a stored password in the gateway. You find them in the Policy Manager under Tasks > Certificates, Keys and Secrets > Manage Stored Passwords. If you have there a password called MyPassword and the Checkbox "Permit use via context variable reference" is checked, you can get this password with the variable ${secpass.MyPassword.plaintext}

     

    Regards

    Stephan

     



  • 3.  Re: Authenticate Multiple Identity Providers with Digest Credentials

    Posted Mar 02, 2018 06:00 AM

    Hi Stephan,

    Thanks for reply, I have solved my second question but the first one still remains and I have to insert one assertion for each user in OR clause(At least one of them is true). This way leads to several comparison inside the policy because of more than 100 users and also assertions and it also affects the performance and speed.  ${secpass.${UserName}.plaintext} would solve my problem but nested ${${}} usage is not offered. If you find a solution, I hope you let me know

    Regards,

    Duran



  • 4.  Re: Authenticate Multiple Identity Providers with Digest Credentials

    Posted Mar 02, 2018 06:29 AM

    Hi mangiare

     

    Well you can use ${secpass.${UserName}.plaintext} quite easy by using Lookup Context Variable Assertion

     

    After the assertion is executed, you can use [Target Variable Prefix].output to get the resolved value. In my example this would be ${lookup.output}.

     

    But for us it is not possible to store all users (1500+) this way. 

     

    Regards

    Stephan



  • 5.  Re: Authenticate Multiple Identity Providers with Digest Credentials

    Posted Mar 16, 2018 04:17 AM

    Thank you Stephan,

    I kept trying  ${secpass.${UserName}.plaintext}, also in given link(Look Up Context Variable Assertion) it says "Nested context variables are not supported (for example, ${foo.${bar}})." 

    Look Up Context Variable Assertion( secpass.${UserName}.plaintext ) + only one Require WS-Security Password Digest Credentials solved the problem.

    Regards,

    Duran