Authentication process flow for MPA and multiple clients

1. The WebSEAL administrator performs the following preliminary configuration:
   • Enable support for multiplexing proxy agents.

   • Create an ISAM account for the specific MPA gateway.

   • Add this MPA account to the webseal-mpa-servers group.

2. Clients connect to the MPA gateway.
3. The gateway translates the request to an HTTP request.
4. The gateway authenticates the client.
5. The gateway establishes a connection with WebSEAL with the client request.
6. The MPA authenticates to WebSEAL (using a method distinct from the client) and an identity is derived for the MPA (which already has a WebSEAL account).

7. WebSEAL verifies the MPA’s membership in the webseal-mpa-servers group.
8. A credential is built for the MPA and flagged as a special MPA type in the cache.

   Although this MPA credential accompanies each future client request, it is not used for authorization checks on these requests.

9. Now WebSEAL needs to further identify the owner of the request.

   The MPA is able to distinguish the multiple clients for proper routing of login prompts.

10. The client logs in and authenticates using a method distinct from the authentication type used for the MPA.

11. WebSEAL builds a credential from the client authentication data.
12. Session data type used by each client must be distinct from the session data type used by the MPA.
13. The authorization service permits or denies access to protected objects based on the user credential and the object’s ACL permissions.

Parent topic: Multiplexing proxy agents