Configuring the Authorization Server - BlueCat Address Manager - 9.2.0

Address Manager Administration Guide

prodname
BlueCat Address Manager
version_custom
9.2.0

Address Manager's API endpoints support the OAuth authorization protocol. This means an Address Manager API client can obtain an access token from the authorization server. The authorization server authenticates the resource owner (the user) and issues the access token for access to the resource server's protected resources (Address Manager API). Configure the authorization server to allow the issuance of access tokens by the authorization server to API clients of Address Manager.

Note: Before performing the following steps, ensure that Address Manager is configured as the resource server with the authorization server.
  1. In Address Manager, select the Administration tab.
  2. Under User Management, select Identity and Access Management.
  3. Select the OAuth AS Configuration tab.
  4. Complete the Authorization Server section:
    1. Name (required): The name of the authorization server
    2. Description (optional): A brief description of the authorization server
    3. OAuth (required): Enables or disables OAuth. The default value is Enable.
  5. In the Signing Certificate section, you can either upload the metadata file (XML file) by clicking Choose File in the File field or entering the metadata URL provided by the authorization server in the URL field. If you enter the metadata URL, you're directed to a trust page. On the trust page, click Yes to confirm the authorization server certificate.
  6. Complete the Token Validation section:
    1. User Claim Name (required): The user claim name of the authorization server
    2. Group Claim Name (required): The group claim name of the authorization server
    3. Email Claim Name (required): The email claim name of the authorization server
    4. Method (required): Select Local if the token validation occurs in Address Manager. Select Authorization Server if the token validation occurs in the authorization server.
  7. If you selected Local in the Method drop-down, complete the following fields:
    1. Issuer (required): The name of the token issuer – the IdP adds this to the token URL.
    2. Audience (required): The name of the BAM API string obtained from the authorization server
  8. If you selected Authorization Server in the Method drop-down, complete the following fields:
    Note: Once you register Address Manager as a resource server, you can obtain the information required for the fields below.
    1. Client ID: The public identifier of the application
    2. Client Secret: The secret code known only to the application and the AS
    3. Introspection Endpoint: Allows Address Manager to check the validity of access tokens
      Note: Address Manager sends the client ID and the client secret to with the introspection request to the introspection endpoint.
    4. Authorization: If you select Basic, Address Manager sends the Client ID and Client Secret as part of the header in the request. If you select Post, Address Manager sends the Client ID and Client Secret as part of the body in the request.
    5. UserInfo Endpoint: The information about the user––this includes the group membership information and user ID.
  9. Click Upload.
    The AS metadata populates in the Signing Certificate section.
  10. Click Update.
    Note: Address Manager initiates a secure connection with both the introspection endpoint and userinfo endpoint. If the server is not CA-signed, a confirmation page about trusting the server may display.