Skip to content
CA API Gateway - 9.3
Documentation powered by DocOps

Authenticate Against Identity Provider Assertion

Last update October 31, 2017

The Authenticate Against Identity Provider assertion authenticates the current credentials against the selected identity provider, using credentials gathered from other credential source assertions. Examples of credential source assertions include: Require HTTP Basic Credentials, Require SAML Token Profile, or Require SSL or TLS Transport. This assertion is similar to the Authenticate User or Group Assertion except that it does not match the authenticated user against any particular user or group.

Use this assertion when you need to separate authentication and authorization, for example:

  • You want to authenticate the credentials already gathered in the policy, but you don't need to authorize that the resulting user is a particular user or member of a particular group.
  • The policy contains many "User" or "Group" assertions. You want to authenticate first so that if it fails, the identity assertions can be skipped, saving processing time.
  • You wish to perform branching based on the results of authentication (for example, "If the authentication fails, do this; otherwise do this...")

To learn about selecting the target message for this assertion, see Select a Target Message.

To learn more applying a tag to the identity, see Identity Tags.


Context Variables

When authenticating against an LDAP Identity Provider, the following context variables are set upon an error condition. You can then parse the error message to determine your course of action. For example, you may take different actions for an expired password versus invalid credentials.

Variable Description
${idp.error.login} Returns an array of logins used to authenticate.
${idp.error.message} Returns an array of the error messages returned from the LDAP provider.

Note that an array is returned because the authentication module can authenticate multiple logins within a policy. If at least one login used to authenticate succeeds, then the Authenticate Against Identity Provider assertion succeeds. If one or more logins fail, then the assertion fails.

Note: The context variables are populated only when authenticating against an LDAP Identity Provider. The variables are empty when authenticating against other identity providers.

Using the Assertion

  1. Do one of the following:
    • To add the assertion to the Policy Development window, see Adding an Assertion.
    • To change the configuration of an existing assertion, proceed to step 2 below.
  2. When adding the assertion, the Change Authentication Identity Provider dialog automatically appears; when modifying the assertion, right-click <target>: Authenticate against... in the policy window and choose Change Authentication Identity Provider or double-click the assertion in the policy window.
  3. Choose the identity provider that will be authenticated against. Only configured identity providers appear on the list.
  4. Click [OK] when done.

Was this helpful?

Please log in to post comments.