Digest Authentication
The Digest Authentication Policy is used to authenticate clients with username, encrypted password, unique value (nonce) and timestamp (created) values. Although it is usually used for SOAP services, it can also be used for REST APIs rarely.
To use this policy, the password information must be sent encrypted with the following algorithm:
Password generation algorithm
Base64 ( SHA1 ( nonce + created + clear text password ) )
As can be seen from the algorithm, it is not possible to rebuild the password using the output of the algorithm. However, the same value can be created again.
For the policy to work, the encrypted value needs to be verified. The user's password is used to create the same value for this verification. This can only be possible by selecting "Security Manager" as the Identity Provider. For this reason;
Only Security Manager can be used as the Identity Provider in this policy.
The locations of username, password, nonce and created within the message is given by the variables. Received values are authenticated via the Security Manager using the algorithm given above.
If the result of authentication is successful, the message flow is allowed to continue. Otherwise, the flow is interrupted and a response message containing an error message about the problem is returned to the client.
The picture below shows the policy settings:
The Digest Authentication Policy fields are shown in the table below.
Field | Description |
|---|---|
Description | An optional description of the policy that may be useful for usage and management activities. |
Identity/Role/Group Service | The Identity Provider Service to authenticate the users. Please visit the Identity Providers page for more information. |
Variable for Username | It is the variable used to specify the location of the "username" within the message. Please visit the Variables page for more information. |
| Variable for Password | It is the variable used to specify the location of the "password" within the message. Please visit the Variables page for more information. |
| Variable for Nonce | It is the variable used to specify the location of the "nonce" within the message. Please visit the Variables page for more information. |
| Variable for Created | It is the variable used to specify the location of the "created" within the message. Please visit the Variables page for more information. |
Appears if "Security Manager" is selected as the identity provider service. If this option is enabled and the IP information was specified while defining the user, it is also checked whether the request comes from the IP(s) given for this user. | |
Clear Authentication Information | It ensures that all existing authentication information, if any, is deleted in the message content. In this case, if there is an Authorization Information in the request from the client, this information is deleted and not sent to the Backend API. |
Add Client Info to Header | If this option is checked, username of the authenticated user will be sent to the Backend API in a header when the authentication is successful. The default name of the header is X-Authenticated-UserId and can be changed if desired. |
Authenticated User Header Name | If the Add Client Info to Header option is checked, the value of this field is used as the name of the header to put the authenticated username. |
Authorization Configuration | This option is activated to configure the access control according to the roles of the users. Please visit the Authorization page for more information. |
You can visit the Policies page for the details of the Conditions and Error Message Customization panels.