Authenticate User or Group Assertion

The Authenticate User or Group assertion allows you to authenticate users and/or groups from specific LDAP Identity Providers, Simple LDAP Identity Providers, Federated Identity Providers (FIP), or Internal Identity Providers (IIP), using credentials gathered from a credential source assertion (for example, Require HTTP Basic Credentials, Require SAML Token Profile, or Require SSL or TLS Transport).
gateway90
The
Authenticate User or Group
assertion allows you to authenticate users and/or groups from specific LDAP Identity Providers, Simple LDAP Identity Providers, Federated Identity Providers (FIP), or Internal Identity Providers (IIP), using credentials gathered from a credential source assertion (for example, Require HTTP Basic Credentials, Require SAML Token Profile, or Require SSL or TLS Transport).
If you need to add more than one user or group to a policy, add several Authenticate User or Group assertions into an At Least One Assertion Must Evaluate to True Assertion.
To learn about selecting the target message for this assertion, see Select a Target Message.
To learn more applying a tag to the identity, see Identity Tags.
Authenticating Against a Simple LDAP Identity Provider
The authentication process differs slightly when a Simple LDAP Identity Provider is involved:
  • Only users, not groups, can be authenticated against a Simple LDAP.
  • When using the Policy Manager to search for a user in a Simple LDAP, the LDAP server is not actually consulted and the user name is not validated by either the Policy Manager or the Gateway. The user name will always be displayed in the Search Results window, even if no such user exists (in other words, a "virtual" user is created).
    The Gateway will reject the user if the user name contains characters not permitted by the regular expression defined in the 
    ldap.simple.username.pattern
     cluster property.
  • At policy runtime, the Authenticate User or Group assertion succeeds only if the username and password that is provided by the client authenticates successfully
    and
    if the client-provided username matches the "virtual" user name from the Authenticate User or Group assertion.
Using the Assertion
  1. Add the assertion to the policy development window using one of the methods described in Adding an Assertion.
    Tip:
    You can also right-click within either the "All assertions must evaluate to true" or "At least one assertion must evaluate to true" assertion folders and then choose
    Add User or Group
    .
    The Search Identity Provider dialog appears.
  2. Configure your search details as follows:
    Detail
    Description
    Search
    Choose the identity provider that contains the target user and/or group.
    Type
    Specify whether to search for groups, users, or all.
    Groups are not supported when authenticating against a Simple LDAP Identity Provider.
    Name
    Optionally refine your search by specifying whether the name should be
    Equal
    to or
    Starts with
    a specific string of characters.
    You can use the asterisk (*) wildcard to match any number of characters, or the question mark (?) to match any single character.
    The "Starts with" and "Equals" settings have no effect when search a Simple LDAP Identity Provider.
  3. Click [
  4. Search
  5. ]. Matching groups/users appear in the Search Results box. Note that if searching against a Simple LDAP Identity Provider, the user is always "found" (see "Authenticating Against a Simple LDAP Identity Provider" above for details).
  6. Click [
    Select
    ]. The Search Identity Provider dialog closes and an assertion for each user or group is added to the policy development window.
  7. Repeat this process to grant access to other users or groups.
  8. Choose the users and/or groups to be added to the policy. You can select a continuous block of rows by dragging the mouse over the rows you want; or, select the first row, hold down the [
    Shift
    ] key, then select the last row. You can select individual rows by holding down the [
    Ctrl
    ] key while clicking on the rows you want.
  9. Click [
    Select
    ]. The Search Identity Provider dialog closes and an assertion for each user or group is added to the policy development window.
  10. Repeat this process to grant access to other users or groups.