The Policy Manager can use the following types of identity providers:
- Internal Identity ProviderA single Internal Identity Provider (IIP) is pre-configured as the authentication database inside theAPI Gateway. The Policy Manager allows you to modify the users and groups in the IIP. For information on adding users and/or groups to the IIP, see Internal Identity Provider Users and Groups.
- LDAP Identity ProvidersYou can configure and manage one or more LDAP Identity Providers in the Policy Manager. An LDAP Identity Provider is an LDAP connector that is used for authentication purposes.A simplified variant of the LDAP Identity Provider is also available, if you wish to perform authentication via bindings only.For information, see LDAP Identity Providers.
- Federated Identity ProvidersA Federated Identity Provider (FIP) is exclusively used in an identity bridging configuration. Essentially, the FIP allows one security domain to authorize requests containing credentials originating from another security domain. For more information, see Federated Identity Providers.
- Policy-Backed Identity ProvidersThe Policy-Backed Identity Provider uses an underlying policy fragment to authenticate users, based on a username and password passed through via context variables. For more information, see Policy-Backed Identity Providers.
The term identity includes both users and groups; user can represent an individual human or machine; service includes both web services and XML applications.
Impact of Security Zones on Federated and LDAP Providers
The Federated and LDAP identity providers may be placed into security zones. Once in a zone, only users who have the corresponding "Manage <zone>" or "View <zone>" roles can see these providers. However, when a "Manage <zone>" user publishes a service, that user is automatically assigned the "Manage <service>" role. Among the permissions granted by this role is the ability to access all identity providers, regardless of security zone. The Policy Manager indicates this by showing the identity provider's security zone as the user's zone.
Example: Bob is in "Zone A" while Sue is in "Zone B". They both have published services and thus are able to view all identity providers. FIP "Alpha" has been placed in Zone C, while LDAP identity provider "Beta" has been placed in Zone D. However when Bob views Alpha and Beta, they will both appear to be in Zone A. Similarly, they will show Zone B when Sue does the same.