The Digest Authentication Policy is used to authenticate clients with username, encrypted password, unique value (nonce) and timestamp (created) values. Although it is usually used for SOAP services, it can also be used for REST APIs rarely.

To use this policy, the password information must be sent encrypted with the following algorithm:

Password generation algorithm

Base64 ( SHA1 ( nonce + created + clear text password ) )

As can be seen from the algorithm, it is not possible to rebuild the password using the output of the algorithm. However, the same value can be created again.

For the policy to work, the encrypted value needs to be verified. The user's password is used to create the same value for this verification. This can only be possible by selecting "Security Manager" as the Identity Provider. For this reason;    

Only Security Manager can be used as the Identity Provider in this policy.

The locations of username, password, nonce and created within the message is given by the variables. Received values are authenticated via the Security Manager using the algorithm given above. 

If the result of authentication is successful, the message flow is allowed to continue. Otherwise, the flow is interrupted and a response message containing an error message about the problem is returned to the client.

The image containing the Digest Authentication Policy settings is given below:


The Digest Authentication Policy fields are shown in the table below.

Field

Description

Description

An optional description of the policy that may be useful for usage and management activities.

Clear Authentication Information

It ensures that all existing authentication information, if any, is deleted in the message content. In this case, if there is an Authorization Information in the request from the client, this information is deleted and not sent to the Backend API.

Add Client Info to Header

If this option is checked, username of the authenticated user will be sent to the Backend API in a header when the authentication is successful. The default name of the header is X-Authenticated-UserId and can be changed if desired.

Authenticated User Header Name

If the Add Client Info to Header option is checked, the value of this field is used as the name of the header to put the authenticated username. 

Variable for Username

It is the variable used to specify the location of the "username" within the message. Please visit the Variables page for more information.
Variable for PasswordIt is the variable used to specify the location of the "password" within the message. Please visit the Variables page for more information.
Variable for NonceIt is the variable used to specify the location of the "nonce" within the message. Please visit the Variables page for more information.
Variable for CreatedIt is the variable used to specify the location of the "created" within the message. Please visit the Variables page for more information.

Identity/Role/Group Service

The Identity Provider Service to authenticate the users. Please visit the Identity Providers page for more information.

Appears if "Security Manager" is selected as the identity provider service. If this option is enabled and the IP information was specified while defining the user, it is also checked whether the request comes from the IP(s) given for this user.

Authorization Configuration

This option is activated to configure the access control according to the roles of the users. Please visit the Authorization page for more information.

You can visit the Policies page for the details of the Conditions and Error Message Customization panels.