Authentication and Authorization Using OAuth 2.0 Protocol

Sentinel RMS Cloud License Manager provides industry-standard OAuth 2.0 protocol-based authentication and authorization for your users/applications. The following table describes the differences between the support and mechanisms provided for on-premises and SaaS applications:

Topic On-premises Applications SaaS Applications
Based on OAuth 2.0

Resource Owner Password Credential flow

Client Credentials flow
Use Case

>The licensed application is installed on-premises.

>The users/machines must be authenticated for using the RMS Cloud LM REST API.

>The licensed application is hosted in a trusted environment (private cloud).

>Your application needs to be authenticated for using the RMS Cloud LM REST API.

Sentinel RMS Licensing Options

>Unified APIs in the SCP-integrated library
The SCP-integrated library provides quick-to-integrate Unified APIs that can be incorporated directly into an application to implement licensing. The library abstracts tasks—including authentication, message signing, and verification—necessary for secure communication between a client and RMS Cloud LM.
See also: SCP-integrated Library

>RMS Cloud LM REST API
A set of REST APIs for implementing software licensing.

RMS Cloud LM REST API
A set of REST APIs for implementing software licensing.

Authentication

>An OAuth access token is required to make requests to Sentinel RMS Cloud License Manager.

>The licensed application gets an auth token in exchange of the registration token. An auth token consists of an access token and a refresh token.

>Once obtained, the refresh token can be used to obtain a new access token.
See also: On-premises Applications

>The Contact Administrator on the customer's site creates the registration token for users/machines in an enterprise.

>An OAuth access token is required to make requests to Sentinel RMS Cloud License Manager.

>The licensed application gets an access token using OAuth 2.0 Client Credentials flow. The software vendor must provide the application/client credentials for the licensed application. See also: SaaS Applications

>These credentials must be kept safe.

NOTE   The software vendor cannot generate and support multiple application/client credentials.

HTTP Header Registration Token is customer-specific. Hence, no Customer ID is required as explicit input for the licensing calls. A custom header, x-sntl-customer-id, is required to identify a customer and is passed as the HTTP header.
Signing and Verification

Your application running in a hostile environment must follow the mandatory signing and verification requirement for securing client/server communication.

**WARNING**   REST API signing is not yet supported in the Sentinel EMS WS Reference tool. Hence, the use of the tool for exploring the registration token workflow and accessing the Cloud LM REST APIs is not recommended.

No signing/verification is required.
Developer Resources

Contact your Thales representative to obtain a package that contains the:

>Postman collections

>YAML files

Use your Sentinel EMS hosted instance for accessing the Sentinel EMS WS Reference tool.

Documentation Reference Getting Started with Sentinel RMS—Connected (Cloud LM) Mode for On-premises Applications Getting Started with Sentinel RMS— for SaaS Applications.Connected (Cloud LM) Mode

On-premises Applications

Authentication Workflow for on-premises applications is supported using the:

SaaS Applications

Each Cloud LM REST API, must be authenticated using a JSON Web Token (JWT) access token. The workflow for authenticating applications is depicted below: