The IBM Application Gateway has a new home - docs.verify.ibm.com/gateway
The documentation on this site will no longer be maintained after v21.02, please update your bookmarks.
IBM Application Gateway (IAG) can be configured to pass asserted identity information to downstream applications. This identity information will be inserted as a HTTP header and can contain:
- Basic Authentication (BA) information;
- The IP address of the client which originated the request;
- Attributes from the user credential;
- The cookie for the user session;
- A signed JSON Web token (JWT);
- A WebSphere LTPA single sign-on token.
- A Kerberos single sign-on token.
- Externally provided username/password for basic authentication (BA);
- Externally provided username/password for forms-based authentication;
Detailed information on configuring the identity information to be passed to a resource server is available from the Identity Headers YAML reference.
The ip_address boolean configuration entry controls whether the IP address of the client which originated the request will be included in the request which is sent to the resource server. The IP address will be added as the 'iv-remote-address' HTTP header.
The attributes configuration entry is used to specify the list of user attributes which will be added as HTTP headers of the request. The information required when configuring the attributes is documented in the identity_headers#attributes-object YAML reference.
Hint: You can use the inbuilt Cred Viewer application to list the credential attributes available in a user session.
By default the IAG session cookie is removed from the request before it is forwarded to the resource server. In the event that the session cookie is required by the protected application the session_cookie configuration entry can be set to true. This will allow the IAG to forward the session cookie, if present, to the resource server.
JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed.
The jwt configuration entry allows you to generate and insert a signed JSON Web Token into a designated HTTP header of requests which are forwarded to a resource server. A generated JWT is cached with the user session and is valid for the lifetime of the user session. The information required when configuring the JWT is documented in the identity_headers#jwt-object YAML reference.
Please note that JWT’s can only be signed using the RSA and ECDSA algorithms. The HMAC signing algorithm is not supported. The algorithm which is used in the signing process is determined automatically based on the algorithm of the signing key.
The JSON Web Key Set (JWKS) is a set of keys containing the public keys that should be used to verify any JSON Web Token (JWT) issued by an authorization server and signed using the RSA or ECDSA algorithms.
IAG has an inbuilt application which provides a JWKS endpoint for making the local JWKS available to a caller. Information on how to enable the JWKS application is documented in the JWKS YAML reference.
Lightweight Third-Party Authentication (LTPA) is an authentication technology used in IBM WebSphere. IAG has the ability to generate an LTPA token and pass this onto the proxied resource server for single sign-on purposes. Information on how to enable the generation of the LTPA token is documented in the identity_headers#ltpa-object YAML reference.
Information on how to enable the generation of the Kerberos token is documented in the services/kerberos YAML reference for configuration of the globally effective configuration, and resource specific configuration information can be found within the identity_headers#kerberos YAML reference.
An external credential service can be used to provide a username and password which IAG can provide to resource servers as a basic authentication header.
An external credential service can be used to provide a username and password which IAG can use to perform forms-based login on behalf of clients.