Configuring Authentication for the Alemba API

The Alemba API supports Bearer token authentication using OAuth 2.0.

Two built in clients are preconfigured for use with Password authentication. These may need to be configured to use the desired authentication type before first use.

Open the new Alemba® admin page in your web browser

https://{host-name}/{core-system-name}/Alemba®.Web/alemba/admin.

  1. Log in as an Analyst with the Security Setup General Access role

  2. On first use, a login form will be displayed.

  3. Alemba® Admin and the API Explorer are configured to prompt for confirmation before login is completed.

  4. Click the API Clients link

  5. Select the API Client you wish to configure.

Client Secret

If specified, the calling OAuth Client must provide this value when processing user authentication.

See How to log in to the API in the API explorer Help.

This value is akin to a password and should only be used by client code where the client is trusted and is able to keep secrets.

A JavaScript client is not able to securely store this secret so should not use this value for authentication.

Name

The API Client must have a name which should be unique. This is only used as a display name.

Session Type

Possible Values: Any, User, Analyst

If set to User or Analyst, OAuth clients will only be able to get an access token of the specified type.

If set to Any, OAuth clients must specify a scope when processing user authentication. (see How to log in to the API)

Enabled

If this is unchecked, authentication for this client will be disabled.

This can be used to disable 3rd party access to the system

Allowed Redirect Uri

Used in OAuth Authorization Code grant flow. This defaults to the host name first used to initiate the authorization code request.

This security feature is used to prevent token interception or misuse. It is not possible for a third party application to complete an authorization code grant without first configuring this setting.

Enabled Authentication Types

Password authentication is enabled by default.

One or more authentication types can be enabled. When multiple authentication types are enable the login dialog will ask the user to choose between login types which are enabled (and correctly configured).

Users may then be able to log in using a Username and Password, or Windows Authentication or Single Sign On (using SAML).

It is recommended that only one type of authentication be used per API Client at a time.

See also Configuring Windows Authentication for the Alemba API and Configuring Single Sign On using SAML for the Alemba API.

All configuration changes will take effect immediately. Existing sessions will not be affected by these changes.

Copyright 2023 Alemba, ASM EOS 10.4