Layer7 API Management

How to put static authentication in a API.
Suppose urername & password is coming from the consumer with the message header or with the URL.
now we have to follow the below step:
1)Have to extract the username & password from the header or the URL 
2)Compare the username & password which was shared earlier with the consumer
3) If the username & password match then it will route to the provider

please guide .

If you know the username and password, You can create a user in the internal Identity provider

Follow the following steps:-
1. Create a user with the given credentials in the Internal Identity Provider
2. Create the service to cater for this authentication
3. At the very start Use the following assertion
3.1. Require basic authentication or You can use the 'Require XPath Credentials' assertion along with the 'Authenticate Against Internal Identity Provider' assertion.
3.2. Authenticate Against Internal Identity Provider
3.3. If successful pass it on else throw an error

Some Community Links
https://community.broadcom.com/enterprisesoftware/communities/community-home/digestviewer/viewthread?MessageKey=00477952-1e0c-4cc3-95bd-3bb7dea30232&CommunityKey=0f580f5f-30a4-41de-a75c-e5f433325a18&tab=digestviewer#bm00477952-1e0c-4cc3-95bd-3bb7dea30232

https://docops.ca.com/ca-api-gateway/9-3/en/policy-assertions/assertion-palette/access-control-assertions/require-xpath-credentials-assertion/

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-gateway/9-4/security-configuration-in-policy-manager/identity-providers/ldap-identity-providers/ldap-identity-provider-wizard.html


In case you want to authenticate against and IDP



------------------------------
Pre-Sales Consultant
CA Southern Africa
------------------------------

Original Message:
Sent: 05-10-2020 11:51 AM
From: Sanjeev Yadav
Subject: Satic Authentication in an API

How to put static authentication in a API.
Suppose urername & password is coming from the consumer with the message header or with the URL.
now we have to follow the below step:
1)Have to extract the username & password from the header or the URL
2)Compare the username & password which was shared earlier with the consumer
3) If the username & password match then it will route to the provider

please guide .

Thanks for the reply Ronald. Your answer is for the soap request.
What about the REST cases? If user name & password is came through URL like below then 

1)How to extract the user name & password from the URL
2) Match the username & password extracted from the url .
3) if success it will go the next level 

Please help.
Original Message:
Sent: 05-11-2020 03:40 AM
From: Ronald Dsouza
Subject: Satic Authentication in an API

If you know the username and password, You can create a user in the internal Identity provider

Follow the following steps:-
1. Create a user with the given credentials in the Internal Identity Provider
2. Create the service to cater for this authentication
3. At the very start Use the following assertion
3.1. Require basic authentication or You can use the 'Require XPath Credentials' assertion along with the 'Authenticate Against Internal Identity Provider' assertion.
3.2. Authenticate Against Internal Identity Provider
3.3. If successful pass it on else throw an error

Some Community Links
https://community.broadcom.com/enterprisesoftware/communities/community-home/digestviewer/viewthread?MessageKey=00477952-1e0c-4cc3-95bd-3bb7dea30232&CommunityKey=0f580f5f-30a4-41de-a75c-e5f433325a18&tab=digestviewer#bm00477952-1e0c-4cc3-95bd-3bb7dea30232

https://docops.ca.com/ca-api-gateway/9-3/en/policy-assertions/assertion-palette/access-control-assertions/require-xpath-credentials-assertion/

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-gateway/9-4/security-configuration-in-policy-manager/identity-providers/ldap-identity-providers/ldap-identity-provider-wizard.html


In case you want to authenticate against and IDP



------------------------------
Pre-Sales Consultant
CA Southern Africa

Original Message:
Sent: 05-10-2020 11:51 AM
From: Sanjeev Yadav
Subject: Satic Authentication in an API

How to put static authentication in a API.
Suppose urername & password is coming from the consumer with the message header or with the URL.
now we have to follow the below step:
1)Have to extract the username & password from the header or the URL
2)Compare the username & password which was shared earlier with the consumer
3) If the username & password match then it will route to the provider

please guide .

all request parameters are accessible via ${request.http.parameter.<name>}
e.g. ${request.http.parameter.username}  & ${request.http.parameter.username} 
-- At least one folder
 -- Add all folder
  ---- set context variable ${username} = ${request.http.parameter.username}
  ---- set context variable ${password} = ${request.http.parameter.username}
  ----- compare variable to see username and password have values compare ${username} & ${password} is not empty [2 compare]
 -- Add all folder
----- comment to deal with request body
------ Evaluate JSON path expression ${request}  evaluate $.username as user
------ Evaluate JSON path expression ${request}  evaluate $.password as pwd
---- set context variable ${username} = ${user.result}
---- set context variable ${password} = ${pwd.result}
------ compare variable to see username and password have values compare ${username} & ${password} is not empty [2 compare]
--- FAIL

Create a context variable creds  of type XML
<creds>
<username>${username}</username>
<password>${username}</password>
</creds>

Use xpath credentails
At least 
 --- Authenticate against idp
 ----Stop on failure

//post action

------------------------------
Pre-Sales Consultant
CA Southern Africa
------------------------------

Original Message:
Sent: 05-18-2020 02:16 PM
From: Sanjeev Yadav
Subject: Satic Authentication in an API

Thanks for the reply Ronald. Your answer is for the soap request.
What about the REST cases? If user name & password is came through URL like below then

1)How to extract the user name & password from the URL
2) Match the username & password extracted from the url .
3) if success it will go the next level

Please help.
Original Message:
Sent: 05-11-2020 03:40 AM
From: Ronald Dsouza
Subject: Satic Authentication in an API

If you know the username and password, You can create a user in the internal Identity provider

Follow the following steps:-
1. Create a user with the given credentials in the Internal Identity Provider
2. Create the service to cater for this authentication
3. At the very start Use the following assertion
3.1. Require basic authentication or You can use the 'Require XPath Credentials' assertion along with the 'Authenticate Against Internal Identity Provider' assertion.
3.2. Authenticate Against Internal Identity Provider
3.3. If successful pass it on else throw an error

Some Community Links
https://community.broadcom.com/enterprisesoftware/communities/community-home/digestviewer/viewthread?MessageKey=00477952-1e0c-4cc3-95bd-3bb7dea30232&CommunityKey=0f580f5f-30a4-41de-a75c-e5f433325a18&tab=digestviewer#bm00477952-1e0c-4cc3-95bd-3bb7dea30232

https://docops.ca.com/ca-api-gateway/9-3/en/policy-assertions/assertion-palette/access-control-assertions/require-xpath-credentials-assertion/

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-gateway/9-4/security-configuration-in-policy-manager/identity-providers/ldap-identity-providers/ldap-identity-provider-wizard.html


In case you want to authenticate against and IDP



------------------------------
Pre-Sales Consultant
CA Southern Africa

Original Message:
Sent: 05-10-2020 11:51 AM
From: Sanjeev Yadav
Subject: Satic Authentication in an API

How to put static authentication in a API.
Suppose urername & password is coming from the consumer with the message header or with the URL.
now we have to follow the below step:
1)Have to extract the username & password from the header or the URL
2)Compare the username & password which was shared earlier with the consumer
3) If the username & password match then it will route to the provider

please guide .

When you say that the username and password are in the URL, can you provide the details? How are they provided in the URL?

In order to validate credentials against an identity provider, the Gateway requires the username and password to be part of the request context. When using, for example, the Require HTTP Basic Credentials assertion, the Gateway expects the credentials to be base64 encoded in  the Authorization header (per rfc2616) and can therefor automatically associate them with the request context, else it returns a 401 challenge. There are multiple assertions for automatically associating credentials with the request context. If the mechanism *you* require is not there as a standard assertion, then you need to obtain the username and password from the request as context variables. If they are presented as query parameters (e.g. http://gateway:8443/service?username=jay&password=7layer) then they are available as ${request.http.parameter.username} and ${request.http.parameter.password}. Once you have them as context variables you can associate them with the request context using the Require XPath Credentials - which is completely not intuitive but it is sadly the only way - by referencing the context variables in the assertion. Note that XPath and XSLT reference context variables without the curly braces. The following policy illustrates this in action:

<?xml version="1.0" encoding="UTF-8"?>
<wsp:Policy xmlns:L7p="http://www.layer7tech.com/ws/policy" xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy">
    <wsp:All wsp:Usage="Required">
        <L7p:CommentAssertion>
            <L7p:Comment stringValue="* Demonstrate using Require XPath Credentials to validate HTTP parameters"/>
        </L7p:CommentAssertion>
        <L7p:AuditAssertion/>
        <L7p:XpathCredentialSource>
            <L7p:PasswordExpression xpathExpressionValue="included">
                <L7p:Expression stringValue="$request.http.parameter.password"/>
                <L7p:Namespaces mapValue="included">
                    <L7p:entry>
                        <L7p:key stringValue="s"/>
                        <L7p:value stringValue="http://schemas.xmlsoap.org/soap/envelope/"/>
                    </L7p:entry>
                </L7p:Namespaces>
            </L7p:PasswordExpression>
            <L7p:XpathExpression xpathExpressionValue="included">
                <L7p:Expression stringValue="$request.http.parameter.username"/>
                <L7p:Namespaces mapValue="included">
                    <L7p:entry>
                        <L7p:key stringValue="s"/>
                        <L7p:value stringValue="http://schemas.xmlsoap.org/soap/envelope/"/>
                    </L7p:entry>
                </L7p:Namespaces>
            </L7p:XpathExpression>
        </L7p:XpathCredentialSource>
        <wsp:OneOrMore wsp:Usage="Required">
            <L7p:Authentication>
                <L7p:IdentityProviderOid goidValue="0000000000000000fffffffffffffffe"/>
            </L7p:Authentication>
            <wsp:All wsp:Usage="Required">
                <L7p:CustomizeErrorResponse>
                    <L7p:Content stringValueReference="inline"><![CDATA[Not Authorized

request.http.parameter.username=${request.http.parameter.username}
request.http.parameter.password=${request.http.parameter.password}
request.username=${request.username}
request.password=${request.password}
]]></L7p:Content>
                    <L7p:ExtraHeaders nameValuePairArray="included"/>
                    <L7p:HttpStatus stringValue="401"/>
                </L7p:CustomizeErrorResponse>
                <L7p:FalseAssertion/>
            </wsp:All>
        </wsp:OneOrMore>
        <L7p:HardcodedResponse>
            <L7p:Base64ResponseBody stringValue="SGkgJHtyZXF1ZXN0LmF1dGhlbnRpY2F0ZWRVc2VyfSEKCnJlcXVlc3QuaHR0cC5wYXJhbWV0ZXIudXNlcm5hbWU9JHtyZXF1ZXN0Lmh0dHAucGFyYW1ldGVyLnVzZXJuYW1lfQpyZXF1ZXN0Lmh0dHAucGFyYW1ldGVyLnBhc3N3b3JkPSR7cmVxdWVzdC5odHRwLnBhcmFtZXRlci5wYXNzd29yZH0KcmVxdWVzdC51c2VybmFtZT0ke3JlcXVlc3QudXNlcm5hbWV9CnJlcXVlc3QucGFzc3dvcmQ9JHtyZXF1ZXN0LnBhc3N3b3JkfQpyZXF1ZXN0LmF1dGhlbnRpY2F0ZWR1c2VyPSR7cmVxdWVzdC5hdXRoZW50aWNhdGVkdXNlcn0K"/>
            <L7p:ResponseContentType stringValue="text/plain; charset=UTF-8"/>
        </L7p:HardcodedResponse>
    </wsp:All>
</wsp:Policy>
​

Similarly, if the username and password are presented as headers, they are available as ${request.http.headers.<headername>}

------------------------------
Jay MacDonald - Adoption Architect - Broadcom API Management (Layer 7)
------------------------------

Original Message:
Sent: 05-18-2020 02:16 PM
From: Sanjeev Yadav
Subject: Satic Authentication in an API

Thanks for the reply Ronald. Your answer is for the soap request.
What about the REST cases? If user name & password is came through URL like below then

1)How to extract the user name & password from the URL
2) Match the username & password extracted from the url .
3) if success it will go the next level

Please help.
Original Message:
Sent: 05-11-2020 03:40 AM
From: Ronald Dsouza
Subject: Satic Authentication in an API

If you know the username and password, You can create a user in the internal Identity provider

Follow the following steps:-
1. Create a user with the given credentials in the Internal Identity Provider
2. Create the service to cater for this authentication
3. At the very start Use the following assertion
3.1. Require basic authentication or You can use the 'Require XPath Credentials' assertion along with the 'Authenticate Against Internal Identity Provider' assertion.
3.2. Authenticate Against Internal Identity Provider
3.3. If successful pass it on else throw an error

Some Community Links
https://community.broadcom.com/enterprisesoftware/communities/community-home/digestviewer/viewthread?MessageKey=00477952-1e0c-4cc3-95bd-3bb7dea30232&CommunityKey=0f580f5f-30a4-41de-a75c-e5f433325a18&tab=digestviewer#bm00477952-1e0c-4cc3-95bd-3bb7dea30232

https://docops.ca.com/ca-api-gateway/9-3/en/policy-assertions/assertion-palette/access-control-assertions/require-xpath-credentials-assertion/

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-api-management/api-gateway/9-4/security-configuration-in-policy-manager/identity-providers/ldap-identity-providers/ldap-identity-provider-wizard.html


In case you want to authenticate against and IDP



------------------------------
Pre-Sales Consultant
CA Southern Africa

Original Message:
Sent: 05-10-2020 11:51 AM
From: Sanjeev Yadav
Subject: Satic Authentication in an API

How to put static authentication in a API.
Suppose urername & password is coming from the consumer with the message header or with the URL.
now we have to follow the below step:
1)Have to extract the username & password from the header or the URL
2)Compare the username & password which was shared earlier with the consumer
3) If the username & password match then it will route to the provider

please guide .