Authentication

TIBCO API Exchange Gateway supports following types of authentication policies:

An authentication policy determines how to authenticate the users. An authentication policy requires that the incoming request must provide the identities of the sender so that the gateway will authenticate those identities before processing the request.

You can define an authentication policy for a client to require that target services must authenticate the client’s identity before processing a request. A client authentication policy is usually applied at target services.

Basic

When the client sends the username and password in the HTTP basic authentication header of the request message, you can enforce a basic authentication policy to authenticate the client’s identity. The basic authentication policy authenticates the username and password in the client request against LDAP Authentication service provider and generates SAML 2.0 assertion which is forwarded to the TIBCO API Exchange Gateway .

UsernameToken

The UsernameToken authentication policy authenticates the username and password specified with the usernameToken in the client request message using a specified LDAP shared resource.

Note: TIBCO API Exchange Gateway supports UsernameToken authentication policy with the password digest using WSS processor for LDAP server. Use the password digest for UsernameToken authentication policy as follows:
  • The LDAP server must save plain text passwords which are available to the administrative user.
  • Use the OpenLDAP LDAP server.

SAML

TIBCO API Exchange Gateway provides SAML authentication policy, where you can authenticate the credentials in the SAML assertion from the security header of the SOAP message. The SAML assertion is authenticated using an identity service provider shared resource.

X509

TIBCO API Exchange Gateway provides the X509 security policy so that the target operations with SOAP bindings can authenticate the consumer's identity using the consumer's X509 signature. The consumer’s identity is authenticated using an identity service provider shared resource.

See following policies:

SiteMinder

TIBCO API Exchange Gateway provides the SiteMinder security policy so that the target operations with HTTP bindings can authenticate the consumer's identity using the SiteMinder session cookie. The consumer’s identity is authenticated using a SiteMinder service provider shared resource.

See AuthenticationBySiteMinder.policy.

OAuth

TIBCO API Exchange Gateway provides the authentication by OAuth policy. The authentication by the OAuth policy ensures that any access to a target operation with this policy enforced must be authenticated by an OAuth authorization server. The authorization server used is specified in the policy along with the client ID and client secret registered with an OAuth authorization server.

To support PingIdentity authorization server for OAuth policies, make sure that you set the Provider field correctly in the policy file, as follows:

<ns:Provider>PingIdentity</ns:Provider>

See AuthenticationbyOAuth Policy.

Kerberos SPNEGO

TIBCO API Exchange Gateway provides the SPNEGO security policy so that the facade operations with HTTP bindings can authenticate the consumer's identity using the SPNEGO token. The SPNEGO token is authenticated using a Kerberos service provider shared resource.

See AuthenticationbySPNEGO.Policy

To configure the Kerberos SPNEGO policy, refer to Configuration Setup for Kerberos SPNEGO Authentication Policy.

Custom Authentication

TIBCO API Exchange Gateway provides an extensible authentication framework to support non-standard authentication. For example, when you want to verify the user credentials from a request that are stored in a proprietary way, or verify the credentials against a custom identity store, you can extend the base login module as per your requirements.

TIBCO API Exchange Gateway enables the development of an authentication framework using the custom shared resource. See Authentication Using Custom Shared Resource.