(Access Manager 5.0 Service Pack 2 and later)
The Identity Server authentication APIs are login APIs for user authentications. Using these APIs, you can build your own end-to-end login experience replacing the built-in user portal login experience.
The following are the available authentication APIs:
|
API |
Description |
|---|---|
|
End-user authentication API |
End-users can authenticate using this endpoint. |
|
Get authentication status |
Use this API to check the authentication status when a user has performed multi-factor authentication (smartphone, voice call). |
|
Exchange session token for session cookie |
Use this API to create the JSESSIONID cookie for the session and redirect the browser to the target URL. |
|
Log out the user from Identity Server |
Use this API to log out a user from Identity Server. |
|
Fetch all the configured contracts |
Use this API to retrieve all contracts configured in Access Manager. |
The authentication request and response are in the JSON format. Access Manager also provides an option to configure user attributes that you want in the response sent by the authentication API. If you do not configure any attributes, the response contains given_name, family_name, and email by default. For information about how to configure attributes for the authentication API response, see Configuring User Attributes.
For more information about these APIs, see Identity Server Authentication API.
You can use the Authentication APIs in the following scenarios:
End-to-End Login Experience:You can build your own end-to-end user login experience instead of the standard login experience provided by Access Manager.
Login Page Customization: You can use these APIs for high-level customization of the login page and user portal.
Mobile Application Authentication: You can use these APIs to authenticate users with Access Manager through mobile applications.
Primary Authentication: You can use these APIs to verify the credentials of end-users using one of the following methods:
Name/Password - Basic (com.novell.nidp.authentication.local.PasswordClass)
Name/Password - Form (com.novell.nidp.authentication.local.BasicClass)
Secure Name/Password - Basic (com.novell.nidp.authentication.local.ProtectedBasicClass)
Secure Name/Password - Form (com.novell.nidp.authentication.local.ProtectedPasswordClass)
Multi-Factor Authentication:When Access Manager is integrated with Advanced Authentication through the plug-in approach (using Smartphone class or Voice Call class), the APIs support multi-factor authentication for the following methods:
Smartphone (com.authasas.aucore.nam.method.smartphone.SmartphoneClass)
Voice Call (com.authasas.aucore.nam.method.voicecall.VoiceCallClass)
After successful user authentication using authentication APIs, the response contains the user-specific attributes that are configured on the Authentication API page.
If you do not configure any attributes, the response contains given_name, family_name, and email attributes by default.
Perform the following steps to configure user attributes:
Click Devices > Identity Servers > Edit > Authentication API.
In Attribute Set, select the required attribute set.
For information about attribute set, see Configuring Attribute Sets.
Select the required attributes from the Available Attributes list and move them to Selected Attributes.
Click Save > Close.
Configure rate limits for authentication requests: In the Identity Server tomcat.conf file, restrict the number of requests per second by setting the appropriate value for the number of requests in the com.novell.authn.threshold.maxrequestsallowed parameter. The default value is 500. That means 500 requests per second are allowed for these APIs.
For information about how to modify a file, see Modifying Configurations.