cloudblog
2017/10/04
October 04, 2017
3 min read

Authenticate End-Users for APIs: LDAP, AD, SAML, Database, Web-Service

APIs are often the backbone of the functionality used by mobile and web-applications. These applications in their turn often need to "know" end-user identity to provide personalized service: end-user-specific data, permissions, access, and so on. How do you get API Gateway to verify that the user is who she claims she is, let her use the API, and pass her identity to the backend? We have now made it easy with Configure / External Users / API Consumer Authentication configuration screen:
The following options are available:

1. Using existing SAML Identity Provider

Use this option if your application is already SAML-enabled, authenticates with an existing SAML provider, and now just needs to use that SAML token to access the APIs. The configuration dialog box will ask you for the SAML provider details. Once the configuration is applied, your application will be able to use the SAML Grant Type to get API access OAuth token. When that token is used, JWT with the user identity information will be passed to the backend. See our SAML Grant Type documentation for details.

2. Directly connecting to an LDAP userstore

If your LDAP directory is visible to API Cloud (for example, you have set up a VPN connection):
  1. Select the Connect your LDAP User Store option,
  2. Clear the Outbound agent configured checkbox,
  3. Specify LDAP connection parameters.
Once the configuration is live, your application will need to use the Password Grant type to get the OAuth token. API Gateway will verify the end-user identity against the LDAP and generate a personalized OAuth token. Each time the end-user accesses the APIs, the gateway identifies the user and passes the user details to the backend via JWT. See this documentation for details.

3. Connecting to LDAP/AD via Identity Cloud

If your LDAP or Active Directory (AD) is behind a firewall and you do not want to have direct connectivity with it you can use WSO2 Identity Cloud to connect to the directory:
  1. Sign-up for WSO2 Identity Cloud and use its agent to hook up the directory,
  2. In API Cloud's Configure / External Users / API Consumer Authentication screen, select the Connect your LDAP User Store option,
  3. Leave the Outbound agent configured checkbox selected.
This is sort of a combination of the previous two cases: API gateway is using Identity Cloud as the identity provider to authenticate the user. After which a personalized OAuth token is granted. See this documentation for details.

4. Verifying user identity via a custom web service

If your end-users are stored in some sort of database or another system that you can expose via a web-service - select the Connect your RESTful Authentication Service option and provide the connection details. By default, API cloud will be trying to authenticate end-users with a POST invocation with the following JSON payload:
{
"credentials": {
"username": "userx",
"password": "mypass"
}
}
If the end-user record is valid, API Cloud expects a response with the following JSON:
{
"response": {
"status": "true"
}
}
These formats, however, can be changed using the configuration dialog box. If the verification is successful, personalized OAuth token is granted for API access, and each API invocation comes with the user-specific JWT token. See this documentation for details.   API Cloud is a powerful and flexible API management system. Should you have any questions, just click the Support menu and we will be happy to help.