Use of Logical Participants
In the current version of External Authorization, logical participants are now fully supported:
- All WS-Proxy requests can now be executed using the logical sedex ID of the calling sedex-Client.
- Providers of a web service can easily distinguish which logical participant initiated the request.
- Authorization rules can be defined for individual logical participants, enhancing security and control.
This section outlines how to add logical participants to existing authorization, providing solutions to previous limitations.
Overview๐
This figure illustrates the general invocation process of a web service offered via sedex and indicates where security checks need to be performed.
Technical Details๐
Two HTTP header fields are included in the WS-Proxy request to the 3rd party webservice (e.g., ZAS UPI):
- X-Auth-SedexId: The logical participant's sedex ID, or Anonymous if unavailable.
- X-Auth-Username: The logical participant's username, or Anonymous if unavailable.
For requests from a WS-Proxy where the business application issued the request as an authenticated user (basic auth):
| Header Key | Value |
|---|---|
| X-Auth-SedexId | 1-500-1 |
| X-Auth-Username | myConfiguredUsername |
For requests from a WS-Proxy where the business application issued the request as a non-authenticated (anonymous) user:
| Header Key | Value |
|---|---|
| X-Auth-SedexId | Anonymous |
| X-Auth-Username | Anonymous |
The request to the externalAuthorization Service can be extended by the following optional element containing the logical sender from X-Auth-SedexId (if available and not Anonymous):
[..]
<LogicalSender>
<ParticipantSedexId>1-1234-1</ParticipantSedexId>
</LogicalSender>
[..]
Use in External Authorization๐
The third-party web service should check if the HTTP header contains a logical sender sedex ID (X-Auth-SedexId) or Anonymous. If a valid sedex ID is found, it should be used in the external authorization request as illustrated in the following pseudocode:
if (httpHeader.X-Auth-SedexId != null && httpHeader.X-Auth-SedexId != "Anonymous") {
ExtAuthRequest.logicalSender.setParticipantSedexId(httpHeader.X-Auth-SedexId);
}