Enabling OAuth in BlueCat Gateway allows the use of access tokens issued by the authorization server/IdP to access the Address Manager API. An access token represents the authorization of Gateway to access the Address Manager API. Once you enable OAuth in BlueCat Gateway, you must update workflows and endpoints to use OAuth for access to the Address Manager API. Automated scripts must also be updated to use OAuth.
-
Open the OAuth section of the SSO Configuration window. (Click the Navigator button if necessary, then click .)
The SSO Configuration page opens. If OAuth settings are not displayed, scroll down and click OAuth to expand it.
-
Fill in the OAuth fields as needed for your authentication provider.
For more details, see OAuth settings list below.
-
When you're done, click Save.
If you've configured settings for all of Gateway as an SSO service provider, for the IdP, and the OAuth settings (in the OAuth section (see Configuring SSO OAuth settings), you can now enable SSO for Gateway. For more details, see Enabling Gateway SSO.
Attention:If you made changes to SSO settings with SSO already enabled, we strongly recommend that you retest your SSO connection right away using an authentication tool like Postman.
You can do so by opening a new browser session and logging in to Gateway with the username and password of an SSO user.
To cancel your changes, click Cancel.
SSO OAuth settings list
The OAuth section has the following settings.
Setting | Description |
---|---|
Client ID | The public identifier of the application. |
Client secret | The secret code known only to the application and the authorization server. |
Authorization endpoint |
The endpoint that interacts with the resource owner (the user) to obtain the authorization grant from the protected resource. |
Enter the token endpoint | Enter the endpoint used by the API client (BlueCat Gateway) to obtain an access token. |
Resource | The name of the protected resource. |
Username Chain | The username claim of the authorization server. |
Authentication method |
Select one of the following:
Tip: ADFS uses local authentication and OneLogin
uses the authorization server.
|
Scopes |
(Optional) A list of scopes to present to the authentication server. Separate multiple scopes with spaces. Scopes are an optional mechanism in OAuth 2.0 that let applications specify a scope for an authorization request, so that the authenticator can limit access to that scope. Scopes allow authenticators to restrict different sets of features to different users. Scopes consist of scope identifiers separated by spaces. The format of scope information is otherwise open-ended and depends on the authorization provider. Gateway passes on any value entered in the Scopes field unchanged. |
Userinfo Endpoint |
(Required if Authorization server is Authorization method) The userinfo endpoint retrieves information about the user. This includes the group membership information and user ID, which are required if token validation occurs in the authorization server. |