Configuring Identity Awareness API

To configure the Identity Awareness Web API:

1. In the Gateways & Servers view, double-click the Security Gateway.
2. In the Identity Sources section of the Identity Awareness page, select Identity Web API and click Settings.
3. In the Identity Web API Settings window, configure:
   • Client Access Permissions
   • Authorized Clients and Selected Client Secret
   • Authentication Settings

Client Access Permissions

You must select Identity Awareness Gateway interfaces that can accept connections from Web API clients.

To select the Identity Awareness Gateway interfaces:

1. In the Client Access Permissions section of the Identity Web API Settings window, click Edit.
2. Select Security Gateway interfaces that can accept connections from Web API clients. The options are based on the topology configured for the Security Gateway. Web API clients can access the Security Gateway, if they use networks connected to these interfaces. The options are:
   1. Through all interfaces - All Security Gateway interfaces can accept connections from Web API clients.
   2. Through internal interfaces - Only Security Gateway interfaces that are explicitly defined internal, can accept connections from Web API clients.
      • Including undefined internal interfaces - Also accepts connections from Web API clients on internal interfaces without a defined IP address
      • Including DMZ internal interfaces - Also accepts connections from Web API clients located in the DMZ
      • Including VPN Encrypted interfaces - Also accepts connections from Web API clients located in the VPN domain
   3. According to the Firewall policy - Select this, if there is an explicit Access Policy rule that accept connections from Web API clients.

Important - The Through all interfaces and Through internal interfaces options have priority over Firewall Policy rules. If a Firewall rule is configured to block connections from Identity Collector clients, connections continue to be permitted when one of these options is selected.

Authorized Clients and Selected Client Secret

An Identity Awareness Gateway accepts connections only from authorized Web API client computers.

To configure authorized Web API client computers:

1. In the Authorized Clients section of the Identity Collector Settings window, click the green [+] icon and select a Web API client from the list.

   Notes:

   • To define a new host object:
   1. Close the Web API Settings window.
   2. Close the Identity Awareness Gateway Properties window.
   3. From the top toolbar, click the Objects menu > More object types > Network Object > New Host.

      Or from the right upper corner, click the Objects tab > New > Host.

   • To remove an existing Identity Collector client from the list, select the client and click the red [-] icon.
2. Create an authentication secret for a selected Web API client:
   1. Select the Web API client in the list.
   2. Click Generate, or enter the desired secret manually.

   Notes:

   • Each client has its own client secret.
   • To modify a client secret, change it manually.

Authentication Settings

1. In the Authentication Settings section of the Web API Settings window, click Settings.

   The LDAP Account Units window opens.

2. Configure where the Identity Awareness Gateway can search for users, when they try to authenticate:
   • Internal users - The directory of configured internal users.
   • LDAP users - The directory of LDAP users:
     • All Gateway's Directories -Users from all configured LDAP servers.
     • Specific - Users from configured LDAP servers that you select.
   • External user profiles - The directory of users, who have external user profiles.

By default, all User Directories options are selected. You can select only one or two options, if users are only from a specified directory, and you want to maximize Security Gateway performance, when users authenticate. Users with identical user names must log in with domain\username.