This policy enables HTTP Basic Authentication on an API. You can use this policy to require clients to provide HTTP BASIC authentication credentials when making requests to the managed API.
Configuration Options
Basic Configuration
Option
Description
Possible Values
Default
Authentication Realm
Defines the Basic Auth realm that will be used when responding with an auth challenge (when authentication is missing or fails). The input of a realm is mandatory.
a string
-
Identity Source
Additionally, one of the complex properties must be included in the configuration, indicating whether API Management should use JDBC, LDAP or Static information as the source of identity used to validate provided user credentials.
Configuration details of the identity source are listed in the table below.
Allows you to provide a static set of user names and passwords.
-
-
Click Add to create more rows in the table. Click Delete to remove selected rows.
JDBC
Only PostgreSQL, MariaDB and MySQL are supported.
URL
The URL to the JDBC server.
a string
-
JDBC URL
The URL to the JDBC database.
a string
-
Username
The username to use when connecting to the JDBC database.
a string
-
Password
The password to use when connecting to the JDBC database.
a string
SQL Query
If Also extract user roles from the DB is true: SQL query to use when extracting role information. The first parameter passed to the query will be the username.
a string
-
Password Hash Algorithm
The hashing algorithm used when the password was stored.
MD5
SHA1
SHA256
SHA384
SHA512
SHA1
Also extract user roles from database
Enable this option if you also want to extract role information from the database.
enabled
disabled
disabled
Roles SQL Query
If Also extract user roles from database is enabled: SQL query to use when extracting role information. The first parameter passed to the query will be the username.
a string
-
LDAP Deprecated since PAS 23.1.1
Use Keycloak's LDAP User Federation in combination with the Keycloak OAuth Policy. Verify with the Scheer PAS support, that your LDAP server is configured as user federation inside Keycloak.
LDAP Server URL
The URL to the LDAP server.
a string
-
LDAP Bind DN
The pattern to use when binding to the LDAP server (use of ${username} is possible).
a string
-
Bind to LDAP as
Choose whether to bind directly to LDAP as the authenticating user (UserAccount), or instead to bind as a service account and then search LDAP for the user’s record (ServiceAccount).
Configuration details for service accountsee below.
inbound user
service account
inbound user
Also extract user roles from the directory
Enable this option if you want to extract role information from LDAP.
enabled
disabled
disabled
Group Membership Attribute
If Also extract user roles from the directoryis enabled: The attribute representing the user’s membership in a group. Each value should be a reference to another LDAP node.
a string
-
Role Name Attribute
If Also extract user roles from the directoryis enabled: The attribute on a role LDAP node that represents the name of the role.
a string
-
If "Bind to LDAP" is set to "Service Account"
Username
The username is used when initially binding to LDAP as a service account.
-
-
Password
The password is used when initially binding to LDAP as a service account.
User Search Base DN
Used to search for the user’s LDAP record so that it can be used to re-bind to LDAP with the appropriate password.
User Search Expression
Used to search for the user’s LDAP record so that it can be used to re-bind to LDAP with the appropriate password.
-
-
Advanced Configuration
Option
Description
Possible Values
Default
Forward Authenticated Username as HTTP Header
Indicates the name of an HTTP header to send with the principal/identity of the authenticated user if authentication succeeds. Useful when the backend API needs to know the identity of the authenticated user.