Authentication Mechanisms |
|
Authentication is the process of ensuring that a user is who or what they claim to be. User authentication can be done at various locations within the Process Platform framework. For example, the Web server can authenticate users. Authentication mechanism refers to the part of the framework that handles authentication.
Authentication mechanism also includes authorization of an user. Authorization is the process of ensuring that a particular user has the required permissions to work on a particular resource. A resource can be an application, service group, service container and so on.
Authentication mechanisms supported in Process Platform are described in the table below:
Table 1. Authentication Mechanisms
Name |
Authentication or authorization level |
Description |
Identity types |
|---|---|---|---|
Web Server |
Authentication takes place in the Web server. Authorization takes place in service group. |
Web server (IIS or Apache) is configured to handle authentication. The Web server can be configured to authenticate against various repositories, like NTLM, Active Directory, or LDAP. The Web Gateway receives the user name of the authenticated user through the AUTH_USER variable that is set by the Web server. |
|
WS-Security |
User name token: Authentication and authorization take place in the service group. |
When using the WS-Security authentication mechanism, the client inserts a WS-Security identity directly in the SOAP request header. The WS-Security identity can consist of various token profiles. For more information, refer to WS-Security SAML Token and WS-Security User name Token. |
|
Anonymous |
Authorization takes place ins the service group. No authentication is done. |
When there is no identity provided using the other authentication mechanisms, the SOAP request is sent anonymously. It depends on the authorization of the anonymous user if access is allowed. |
|
Custom authentication (deprecated) |
Custom authentication. |
Custom authentication is a form-based authentication solution in use for earlier versions of Process Platform. It is now possible to implement this using the WS-Security authentication mechanisms and the Single Sign-On solution. For more information, refer to the following sample: Custom Login Page with SSO. |
Only one authentication mechanism can be used for a SOAP request. It is not possible to use multiple authentication mechanisms simultaneously to authenticate a SOAP request, because it is then not clear which identity should be used on the bus.
Note:
SOAP requests which use multiple authentication mechanisms simultaneously (for example SAML over HTTP GET and Web server authentication) will be rejected by the Web gateway.
One Web gateway, multiple authentication mechanisms
It is possible to use one Web gateway for multiple authentication mechanisms, as long as the individual SOAP requests only use one mechanism. Some mechanisms cannot be used simultaneously due to technical limitations. Web server authentication rules out all other options, because the Web server will authenticate all requests. It is advisable to create multiple Web gateways if you want to use different authentication mechanisms, to avoid confusion.