The LDAP digest authentication method, which is based on the LDAP authentication method, uses a shared secret known by both sides of the authentication process: a user requesting web access, using a browser on a client of Web Gateway, and Web Gateway.
Web Gateway uses its proxy functions to intercept the request to enable authentication and further filtering under the configured web security policy.
Unlike simpler authentication methods, such as basic authentication, no password is sent directly from the browser to Web Gateway. Instead the password is a part of the shared secret that is known on both sides of the authentication process.
A hash value is calculated for the shared secret and several additional parameters on the client and transmitted to Web Gateway, which calculates the hash again, using its instance of the shared secret, to see if the result is identical. If it is, the user is authenticated.
The hash value that is transmitted from the client to Web Gateway is also referred to as digest. Web Gateway retrieves the shared secret that it requires for recalculating the hash from an LDAP server.
Calculating a hash for LDAP digest authentication
The MD5 method for calculating a hash is used when LDAP digest authentication is performed in an authentication process with Web Gateway.
Before the client sends the hash, Web Gateway sends a request for authentication to the client, including a so-called nonce (number only once), which is a number that is randomly created on Web Gateway and is one of the parameters that must be used in addition to the shared secret for calculating the hash.
The complete list of parameters that is used for calculating the hash includes the following:
- User name (part of the shared secret)
- Realm name (part of the shared secret)
- Password (part of the shared secret)
- HTTP request that was sent from the client
- URL of the requested destination in the web
Configuring LDAP digest authentication on Web Gateway
LDAP digest authentication on Web Gateway requires the following:
- LDAP authentication must have been configured as the general authentication method on Web Gateway.
- The realm name must be configured as part of the common authentication settings on Web Gateway. This name must also be used for the shared secret.
- You must configure the following parameters for LDAP digest authentication:
- Enabling of LDAP digest authentication
- Name of the attribute on the LDAP server that stores the authentication hash
- Maximum number of times that a nonce can be used
- Maximum time that a nonce can be used
Optionally, you can do the following.
- Allow only LDAP digest authentication as an authentication method under the current settings
When configuring other authentication settings, you could, however, still allow other authentication methods, for example, the User database method with basic authentication.
- Let a check be performed for the URL that a client sends as a parameter for calculating the hash
This URL should be te same as the URL that this client sends in its request for accessing a particular destination in the web. Otherwise successfully passing digest authentication, based on identical hash values, might allow a user to access a destination that was not requested. So if the result of the check is that both URLs are not the same, the request is blocked.
As the browsers that are used on clients for sending this information use different URL formats, this check might fail, however, due to the formatting problem, even if two URLs are really the same. For this reason, the URL check is optional.
The realm name that is used for the shared secret is configured under Common Authentication Parameters, which is a section that is available under every authentication method at the beginning of the Authentication settings.
The parameters for LDAP digest authentication are configured on Web Gateway as part of the settings for the Authentication module (or engine).
When LDAP is selected as the general authentication method at the beginning of these settings, a section named Digest Authentication becomes available after the section for other LDAP specific parameters.