Blog

Users, Groups and ACLs for API Identity Management

By | Date posted: February 10, 2014

Identity management is the cornerstone for building a secure infrastructure that uses internal and 3rd party APIs.  By defining users, groups, and access control lists (ACLs), companies can granularly control who gets to use what API-based resource.  In this tutorial, we will configure users, groups and ACLs on Forum Sentry API Gateway for authenticating users and authorizing API access.   Once configured, any token type such as OAuth, SAML, or cookies can be used to present user credentials to Forum Sentry for validation against on-board users.

Forum Sentry API Gateway provides extensive Identity Management capabilities.  Administrators can configure on-board users, groups and ACLs or use off-board, 3rd party identity stores such as LDAP, SiteMinder, RSA Secure ID, IBM TAM, Kerberos. Forum Sentry has native integrations with a variety of identity management systems including the ones listed above.

API-Identity-Add-User-Forum-Sentry

To set onboard users, select ACCESS–>Users from the administrative console as shown above.  You can add users and passwords from this console.  For this tutorial, add four users testuser1, testuser2, testuser3, and testuser4 with the password set as password.

API-Identity-Add-Groups-Forum-Sentry

Now you can add groups by selecting ACCESS–>User Groups in the administrative console.  Add TestGroup1 and TestGroup2 and then associate testuser1, testuser2 with TestGroup1 and testuser3, testuser4 with TestGroup2. As shown above TestGroup1 contains the selected users.

API-Identity-Add-ACL-Forum-SentryBy selecting ACCESS–>UserACLs in the administrative console the screen to add TestACLNarrow and TestACLWide and associate TestUserGroup1 and TestUserGroup2 with TestACLWide and TestGroup1 with TestACLNarrow only.

With User, Groups and ACLs configured you can now provide granular identity management control of your corporate APIs.  Any identity token such as OAuth, cookies, SAML, X.509 can be presented by an external user or systems, and validated against on-board users.  As a general best practice, however, users and groups are maintained in an external identity store such as an LDAP server.

6 Comments to "Users, Groups and ACLs for API Identity Management"

  1. Reply
    Tony
    February 13, 2014 at 2:54 am

    Can this product work with some sort of caching mechanism for authentication and authorization?

    • Reply
      Anonymous
      February 14, 2014 at 7:22 pm

      Absolutely, this is a common use case.

    • Reply
      Identity OAuth Engineer
      February 14, 2014 at 8:00 pm

      Forum Sentry provides granular on-board edge-caching capabilities for identity management that removes the need to repeatedly call an identity system such as an LDAP server, Ping Federate or CA SiteMinder.

  2. Reply
    Anonymous
    April 28, 2014 at 9:46 am

    Does it support credentials delegations?

  3. Reply
    newby
    April 28, 2014 at 9:47 am

    Does it support credentials delegatiois for MS and Oracle products

    • Reply
      Forum Systems Tech Support
      April 29, 2014 at 11:32 am

      Yes. Forum Sentry consumes and generates a variety of token types, enables 1-to-many and many-to-1 mappings for credential delegation. Forum Sentry also provides identity federation services with call-back mechanisms to validate identity tokens.

Leave a Comment