Skip to main content

Passing Identity Information to Applications

Overview

IBM Application Gateway (IAG) can be configured to pass asserted identity information to downstream applications. This identity information will be inserted as a HTTP header and can contain:

  1. Basic Authentication (BA) information;
  2. The IP address of the client which originated the request;
  3. Attributes from the user credential;
  4. The cookie for the user session;
  5. A signed JSON Web token (JWT);
  6. A WebSphere LTPA single sign-on token.
  7. Externally provided username/password for basic authentication (BA);
  8. Externally provided username/password for forms-based authentication;

Identity Information

Detailed information on configuring the identity information to be passed to a resource server is available from the Identity Headers YAML reference.

Identity Information

Basic Authentication

The basic_auth configuration entry controls how the IAG manages the Authorization header. The 3 options available are documented in the identity_headers#basic_auth YAML reference.

IP Address

The ip_address boolean configuration entry controls whether the IP address of the client which originated the request will be included in the request which is sent to the resource server. The IP address will be added as the 'iv-remote-address' HTTP header.

User Attributes

The attributes configuration entry is used to specify the list of user attributes which will be added as HTTP headers of the request. The information required when configuring the attributes is documented in the identity_headers#attributes-object YAML reference.

Hint: You can use the inbuilt Cred Viewer application to list the credential attributes available in a user session.

By default the IAG session cookie is removed from the request before it is forwarded to the resource server. In the event that the session cookie is required by the protected application the session_cookie configuration entry can be set to true. This will allow the IAG to forward the session cookie, if present, to the resource server.

Signed JWT

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed.

The jwt configuration entry allows you to generate and insert a signed JSON Web Token into a designated HTTP header of requests which are forwarded to a resource server. A generated JWT is cached with the user session and is valid for the lifetime of the user session. The information required when configuring the JWT is documented in the identity_headers#jwt-object YAML reference.

Limitations

Please note that JWT’s can only be signed using the RSA and ECDSA algorithms. The HMAC signing algorithm is not supported. The algorithm which is used in the signing process is determined automatically based on the algorithm of the signing key.

JWKS

The JSON Web Key Set (JWKS) is a set of keys containing the public keys that should be used to verify any JSON Web Token (JWT) issued by an authorization server and signed using the RSA or ECDSA algorithms.

IAG has an inbuilt application which provides a JWKS endpoint for making the local JWKS available to a caller. Information on how to enable the JWKS application is documented in the JWKS YAML reference.

LTPA

Lightweight Third-Party Authentication (LTPA) is an authentication technology used in IBM WebSphere. IAG has the ability to generate an LTPA token and pass this onto the proxied resource server for single sign-on purposes. Information on how to enable the generation of the LTPA token is documented in the identity_headers#ltpa-object YAML reference.

Externally provided username/password for basic authentication

An external credential service can be used to provide a username and password which IAG can provide to resource servers as a basic authentication header.

Refer to the topic Using a Credential service for single sign-on, the services/credential and the identity_headers#basic_auth YAML references.

Externally provided username/password for forms-based authentication

An external credential service can be used to provide a username and password which IAG can use to perform forms-based login on behalf of clients.

Refer to the topic Using a Credential service for single sign-on, the services/credential and the forms_login YAML references.