We got requirement like user does not want to send user authentication credentials in header and interested to send in request body itself in username , password fields.
We are trying to validate user credentials that are sent in request body against Active Directory. We are able to form custom authorization HTTP header with Basic encode username:password .
headers:accept:*/*, accept-encoding:gzip, deflate, br, accept-language:en-US,en;q=0.8, Authorization:Basic eGthc3VuZTpDaGFyYW5AMjAxNg==, cache-control:no-cache, connection:keep-alive, content-length:8505, content-type:text/xml, origin:chrome-extension://fhbjgbiflinjbdggehcddcbncdddomop, user-agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/
Still we are observing "Authentication Required" error from service.Could you please suggest us on how can we do authentication in this scenario.
Is it possible to do authentication what we are trying to do ?
Have you tried using the request xpath credentials for pulling the username and password out of the body?
Sent from my iPhone
Thanks for reply.
I am able to pull username ,password from request body and able to form Basic authorization header as well. Even though policy throwing "Required Authentication" error.
I have already attached policy logic.
It looks like you do everything in one policy.
You may try add header in one policy, and route via http to another policy for authentication.
Thank you very much for your response.
We are able to form Basic Authorization header in policy but still its throwing error. Is it possible to handle in one policy itself ?.
If we develop another policy to route credentials to actual policy for authentication going forward more policies will come. In that case maintenance of more policies is bit difficult.
Hello saisuneel ,
I done a quick test, it's all right to put them into one policy, but you don't need Require HTTP Basic Credentials assertion here, just Authenticate against ***.
If the credential in your custom header is correct, it will pass, or it will give error "No Credential found!"
Furthermore, if you split the policy, you can use Require HTTP Basic Credentials assertion in the authenticating policy.
It seems the Require HTTP Basic Credentials assertion only read the original headers.
Sorry saisuneel ,
It could be due to the cache of my browser, the Authenticate against *** assertion ignore the custom header too -- after I change to another user, it's not working anymore.
ie. the custom header doesn't take effect inside the policy. You may have to split the policy.
Thank you very much for quick update.
Removed Require HTTP Basic Credentials assertion when I passed custom http authorization header but even though it did not work.
My concern is if we split service into two services instead of one service , we have to split services when any customer wants to send credentials in request body not in request header.
So I am looking for best approach that will reduce maintenance problems too.
Thanks a lot once again.
The gateway is able to pull the username and password from the payload using various different assertions including WS-Security UsernameToken Profile Credentials and Require XPath Credentials. The WS-Security UnsernameToken is a WS-Security Header Security token that will contain the username and password which will be extracted with the assertion WS-Security UsernameToken Profile Credentials. The Require XPath Credentials even though has the appearance of XML only can do so much more. Its primary usage is if you have a username and password in XML then you can XPath out each component and authenticate against an Identity Provider. This assertions also allows you to take in context variable to authenticate even if the payload is not XML. You will need to find another means such as regular expression or retrieve from a form post using the request.http.parameter.<NAME> context variable. I've attached a sample policy that will hopefully get you started.
Director, CA Support
Thank you Stephen_Hughes ,
This is the better solution.