User Authentication

All calls to the backend system will require authentication. The authentication process is handled by IFS Middleware Server.
This process consist of three separate steps:

• Transfer of user credentials, passwords or other proofs of identity, from the end user's client to IFS Middleware Server.
  There are two possible authentication schemes used - either HTTP Basic (for Active Directory or Oracle database authentication) or Negotiate (for Windows Integrated Authentication).
• Validation of the credentials with a security information repository such as Active Directory or the Oracle database.
• Mapping of the authenticated identity to the corresponding Foundation1 user identity.

Contents

• User authentication
  
• IFS Connect and Web Services

Related documents

• Configure Remember Password
• About Domain Configuration
• System privileges
• Roles/Permission sets

User authentication

Client transmit credentials over HTTP/S to security interceptor which then validates the credentials either with Active Directory or with the Oracle database.

The user authentication process is managed by IFS Middleware Server before the call even reach the IFS Applications backend. All calls from clients pass a security interceptor in the application server before the call reaches the IFS client gateway, thus, all such calls are intercepted and all users are authenticated before the call can continue.

Two authentication schemes are supported, either HTTP Basic authentication, where the user credentials are validating using either Active Directory or the Oracle database, or Negotiate where Windows Integrated Authentication is used to achieve Single Sign-On.

During the authentication process, the supplied user name and password is verified and the granted application roles are added to the authenticated user.
If the user has been granted the IFSUser role, access to middle-tier Services and Activities are allowed, if not, an exception is returned from the application server (HTTP 401 - Unauthorized).
If access to the called Activity or Service method was allowed, the second security layer is reached - Activity authorization. In this layer the call to the method is intercepted by the Java Server Framework, which first maps the authenticated user identity to an existing Foundation1 user (using the Foundation1 user's Directory Id) and then checks if the called activity/service is granted to the user. If true, the call proceeds to the actual implementation, otherwise a security exception preventing the user from calling the method is thrown from the Java Server Framework.

IFS Connect and Web Services

Authentication for web services exposed using IFS Connect and the SOAP Gateway handled by the application server in the same way as for interactive clients. Services are configured for username/password authentication using the HTTP Basic scheme.

The credentials are not included in the SOAP XML message, but are instead included in the HTTP Authorization header field.

Web Service consumers connecting to the IFS Connect SOAP Gateway must be configured for the same authentication mode as the IFS application server's security interceptor. Also the web service client must be configured with valid credential (i.e. a username/password) for authenticating with the IFS Middleware Server.