This section provides information about authentication, signing in, and signing out when using the ALM Octane SDKs, REST API, and OData.
You can sign in using the following methods:
|Authentication method||Used for||Description|
|JSON authentication with user credentials or API access keys||
Use the sign_in resource to authenticate using user credentials or API access keys. For details, see JSON authentication (sign_in).
For details on granting API access, see the information about setting up API access in the ALM Octane User Guide.
To use basic authentication, enable basic authentication and send a header with user credentials for each request.
For details, see Basic authentication.
It is possible for your REST API to navigate to an entity URL when not yet authenticated, such as when copying a URL or sending an email with a link to an entity. After prompting for authentication, you are redirected to the details of the entity.
Specify entity-navigation as follows:
After authentication, this redirects to:
JSON authentication uses the sign_in resource.
This resource sets the authentication cookies required for future requests.
A sign_in may fail if there are still valid authentication cookies.
The cookies can be reset with a request to sign_out.
|Supported HTTP methods||POST|
|Payload for user credentials||
Provide a JSON object with the credentials.
Use this type of payload to work with the API as the site admin.
|Payload for API keys||
Basic authentication can be used for ALM Octane REST API, SDKs, and OData.
You cannot use basic authentication to access the ALM Octane client.
Send the following in the header for each request:
|Successful authentication||200 (OK)||A cookie with the name LWSSO_COOKIE_KEY is set as a response cookie. See Authentication cookies.|
|Failed authentication||401 (Unauthorized)||Not authenticated.|
These cookies are used for authentication:
Upon successful authentication, authentication cookie LWSSO_COOKIE_KEY is set in the response.
Send this cookie with each subsequent request.
This timeout of the cookie is 3 hours.
Refreshing the LWSSO_COOKIE_KEY
After the 3-hour timeout period has passed, you can extend the timeout by calling the cookie.
You can keep extending the timeout for 24 hours after original authentication, if always using the refreshed cookie sent from server.
After 24 hours, the cookie has expired, and 401 errors are issued in response to requests. Re-authenticate to continue.
You can return all cookies sent by the server in the preceding response using the "Set-Cookie" header. For details, see Resend cookies.
The HPSSO_COOKIE_CSRF cookie is useful for preventing CSRF attacks.
The cookie can be sent as a response cookie if specified. By default, this cookie is not sent.
If specified, you must send the HPSSO-HEADER-CSRF header with the value of this cookie in subsequent requests.
To return the HPSSO_COOKIE_CSRF cookie, specify the boolean property enable_csrf with the value true in the payload:
The sign_out resource logs the user off the session and cancels (expires) the authentication cookies.
This resource can be used for all authentication methods.
|Supported HTTP methods||POST|
HTTP/1.1 200 OK
Set-Cookie: LWSSO_COOKIE_KEY="";Version=1;Path=/;Expires=Thu, 01-Jan-1970 00:00:00 GMT;Max-Age=0 Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, max-age=0 Pragma: no-cache