Configuring Authentication for the Alemba API

The Alemba API supports Bearer token authentication using OAuth 2.0.
Two built in clients are preconfigured for use with Password authentication. These may need to be configured to use the desired authentication type before first use.

 

  1. Open the new Alemba® admin page in your web browser - https://{host-name}/{core-system-name}/Alemba®.Web/alemba/admin.
  2. Log in as an Analyst with the Security Setup General Access role.

    3. On first use, a login form will be displayed.

  3. Alemba® Admin and the API Explorer are configured to prompt for confirmation before login is completed.
  4. Click the API Clients link
  5. Select the API Client you wish to configure.

    6. Client Secret

    If specified, the calling OAuth Client must provide this value when processing user authentication.

    See How to log in to the API in the API explorer Help.

    This value is akin to a password and should only be used by client code where the client is trusted and is able to keep secrets.

    A JavaScript client is not able to securely store this secret so should not use this value for authentication.

    Name

    The API Client must have a name which should be unique. This is only used as a display name.

    Session Type

    Possible Values: Any, User, Analyst

    If set to User or Analyst, OAuth clients will only be able to get an access token of the specified type.

    If set to Any, OAuth clients must specify a scope when processing user authentication. (see How to log in to the API)

    Enabled

    If this is unchecked, authentication for this client will be disabled.

    This can be used to disable 3rd party access to the system

    Allowed Redirect Uri

    Used in OAuth Authorization Code grant flow. This defaults to the host name first used to initiate the authorization code request.

    This security feature is used to prevent token interception or misuse. It is not possible for a third party application to complete an authorization code grant without first configuring this setting.

    Enabled Authentication Types

    Password authentication is enabled by default. One or more authentication types can be enabled. When multiple authentication types are enabled the login dialog will ask the user to choose between login types which are enabled (and correctly configured).

    Users may then be able to log in using a Username and Password, or Windows Authentication or Single Sign On (using SAML).

    It is recommended that only one type of authentication be used per API Client at a time.

    See Configuring Windows Authentication for the Alemba API and Configuring Single Sign On using SAML for the Alemba API.

All configuration changes will take effect immediately. Existing sessions will not be affected by these changes.