Configuring Identity Awareness API
To configure the Identity Awareness Web API:
- In the view, double-click the Security Gateway.
- In the section of the Identity Awareness page, select and click .
- In the window, configure:
Client Access Permissions
You must select Identity Awareness Gateway interfaces that can accept connections from Web API clients.
To select the Identity Awareness Gateway interfaces:
- In the section of the window, click .
- Select Security Gateway interfaces that can accept connections from Web API clients. The options are based on the topology configured for the Security Gateway. Web API clients can access the Security Gateway, if they use networks connected to these interfaces. The options are:
- - All Security Gateway interfaces can accept connections from Web API clients.
- - Only Security Gateway interfaces that are explicitly defined internal, can accept connections from Web API clients.
- - Also accepts connections from Web API clients on internal interfaces without a defined IP address
- - Also accepts connections from Web API clients located in the DMZ
- - Also accepts connections from Web API clients located in the VPN domain
- - Select this, if there is an explicit Access Policy rule that accept connections from Web API clients.
Important - The and options have priority over Firewall Policy rules. If a Firewall rule is configured to block connections from Identity Collector clients, connections continue to be permitted when one of these options is selected.
Authorized Clients and Selected Client Secret
An Identity Awareness Gateway accepts connections only from authorized Web API client computers.
To configure authorized Web API client computers:
- In the section of the window, click the icon and select a Web API client from the list.
Notes:
- To define a new host object:
- Close the window.
- Close the window.
- From the top toolbar, click the menu .
Or from the right upper corner, click the tab .
- To remove an existing Identity Collector client from the list, select the client and click theicon.
- Create an authentication secret for a selected Web API client:
- Select the Web API client in the list.
- Click , or enter the desired secret manually.
Notes:
- Each client has its own client secret.
- To modify a client secret, change it manually.
Authentication Settings
- In the section of the window, click .
The LDAP Account Units window opens.
- Configure where the Identity Awareness Gateway can search for users, when they try to authenticate:
- - The directory of configured internal users.
- - The directory of LDAP users:
- -Users from all configured LDAP servers.
- - Users from configured LDAP servers that you select.
- - The directory of users, who have external user profiles.
By default, all User Directories options are selected. You can select only one or two options, if users are only from a specified directory, and you want to maximize Security Gateway performance, when users authenticate. Users with identical user names must log in with domain\username
.