Getting started with HTTP Security in xDI Designer

Follow this guide to get started with HTTP Security metadata, its supported authentication types, and their respective wizards.

Create the metadata

Open the Create Metadata wizard. Choose the HTTP Security type, and give your new metadata a meaningful name.

Creation wizard showing HTTP Security metadata type

After the wizard closes, the HTTP Security metadata opens in a new tab, and is ready for you to add security entries.

Define authentication methods

You can add security entries the following ways:

  • Right-click the top-level metadata node and create a bare entry from the New submenu.
    HTTP Security metadata submenu labeled New.

  • Right-click the top-level metadata node, or right-click an existing security entry, and choose a wizard from the Actions or New submenus to be guided through configuration.
    HTTP Security metadata submenu labeled Actions.

Basic authentication

The Basic wizard has three fields to fill out:

  1. Name field, for your own text label.

  2. Username field, for the HTTP username.

  3. Password field, for the HTTP password.

Window for the Basic authentication wizard

The Username field is the only mandatory field for the wizard.

NTLM authentication

The NTLM security wizard has four fields to fill out:

  1. Name field, for your own text label.

  2. Username field, for the NTLM username.

  3. Password field, for the NTLM password.

  4. Domain field to authenticate against the user against a Windows domain.

Window for the Basic authentication wizard

Username and Password fields are mandatory, as NTLM authentication requires both at a minimum.

OAuth1

OAuth1 authentication needs a token and a token secret to work properly. You can use the OAuth1 security wizard to have Designer retrieve them for you.

In the wizard, first fill out the Consumer Key and Consumer Secret generated by the service provider.

Then fill out the fields needed for token generation:

  1. Signature Method: Choose between HMAC-SHA1 or PLAINTEXT signature methods.

  2. Temporary Token URL: URL used to get temporary credentials from the server.

  3. Authorization URL: URL of the authorization server.

  4. Access Token URL: URL used to get the long-lived access token.

  5. Callback URL (optional): URL to redirect to the application after a successful authentication request.

  6. Token verifier (optional): A verification code tied to the request token.

You can also edit URL parameters and HTTP methods by clicking on Enable Advanced to open a new section in the wizard.

Window for the Oauth1 authentication wizard

When the fields are filled out, click on Get Token! to retrieve the OAuth1 token and token secret. You can now click on Finish to exit the wizard.

The Name field is not shown in the OAuth1 wizard. The label must be set manually in the Metadata editor.

The PLAINTEXT signature method should not be used over unencrypted HTTP connections.

OAuth2

OAuth2 authentication in Semarchy xDI supports four authentication flows, each with their own wizard:

If you launch a wizard from the top-level node right-click menu, Designer will open a wizard for the Authorization code flow. To access the other wizards, create a new OAuth2 subnode, change its Flow Type in the Token Generation tab, and launch the wizard from the subnode right-click menu.

OAuth2 flow types

Common OAuth2 wizard options

In all four wizards, first fill out the Client ID and Client Secret for your application. The Name field is not shown in the OAuth2 wizards, and must be set manually in the Metadata editor.

All flows have an EndPoints preconfigurations dropdown with predefined URLs for service providers such as Google, LinkedIn, or Salesforce. You can also click on Advanced to open a section that lets you define OAuth2 scopes, authorization parameters, and additional HTTP Headers to send with your authorization request.

Authorization code flow

Fill out the URLs needed for token generation:

  1. Authorization Endpoint

  2. Token Access Endpoint

  3. Redirection Endpoint

Edit the Advanced fields as needed.

When the fields are filled out, click on Get Token! to retrieve the OAuth2 tokens. If everything works, you can now Finish the wizard.

Window for the Oauth2 authentication wizard

Client credentials flow

Fill out the Token Access Endpoint URL, and select the HTTP Method your flow uses.

If your target server needs the Client ID and Secret sent when generating a token, select the relevant option from the Send Client Credentials dropdown:

Option Description

Send Client Id and Client Secret as Basic Auth header

The ID and secret are sent as HTTP authentication headers.

Send Client Id and Client Secret as parameters

The ID and secret are sent as URL parameters when using HTTP GET, or in the request body when using HTTP POST.

Send Client Id as parameter

The ID is sent as a URL parameter when using HTTP GET, or in the request body when using HTTP POST.

Edit the Advanced fields as needed.

When the fields are filled out, click on Test Token Generation to test token retrieval. If everything works, you can now Finish the wizard.

Window for the Oauth2 authentication wizard

Implicit flow

Fill out the URLs needed for token generation:

  1. Authorization Endpoint

  2. Redirection Endpoint

Edit the Advanced fields as needed.

When the fields are filled out, click on Get Token! to retrieve the OAuth2 tokens. If everything works, you can now Finish the wizard.

Window for the Oauth2 authentication wizard

Resource owner password flow

First, fill out the resource owner Username and Password. Then fill out the Token Access Endpoint URL, and select the HTTP Method your flow uses.

If your target server needs the Client ID and Secret sent when generating a token, select the relevant option from the Send Client Credentials dropdown:

Option Description

Send Client Id and Client Secret as Basic Auth header

The ID and secret are sent as HTTP authentication headers.

Send Client Id and Client Secret as parameters

The ID and secret are sent as URL parameters when using HTTP GET, or in the request body when using HTTP POST.

Send Client Id as parameter

The ID is sent as a URL parameter when using HTTP GET, or in the request body when using HTTP POST.

Edit the Advanced fields as needed.

When the fields are filled out, click on Test Token Generation to test token retrieval. If everything works, you can now Finish the wizard.

Window for the Oauth2 authentication wizard