Credential refresh overview

You can configure the credential refresh feature in WebSEAL.

When a user authenticates to WebSEAL, the authentication process accesses the ISAM user registry and builds a credential for the user. The credential contains information about the user needed by ISAM to decide Whether to grant the user access to the requested resource. An example of credential information is a list of groups to which the user belongs.

During a user session, changes in user information can take place. For example, the user might be added to a new group. When this occurs, there might be a need to update or refresh the contents of the user credential, to reflect the new user information. WebSEAL provides a mechanism to enable a credential refresh without requiring the user to log out and then authenticate again.

You can control how the credential refresh feature occurs. WebSEAL provides configuration settings that enable us to specify credential attributes to refresh (update) and credential attributes to preserve (retain). This ability enables us to have precise control over how user credentials are manipulated during a user session.

Use of the credential refresh configuration settings can be important when the authentication process on our WebSEAL server includes call outs to mechanisms that provide additional or extended information about a user. These mechanisms include:

• Credential attribute entitlement service.

  This service is built into ISAM by default.

For information on the credential attribute services listed above, see Mechanisms for adding registry attributes to a credential.

When credential refresh occurs, the default credential attribute entitlement services is run.

The credential refresh configuration settings enable us to preserve attributes obtained during the initial use of an entitlement service. For example, if an attribute contained a timestamp for the start of the user session, we might want to preserve the timestamp even though the credential was refreshed.

The credential refresh configuration settings also enable us to preserve attributes obtained from a credential extended attribute authentication module. Because custom authentication modules are not run again during the rebuilding of the credential, we use the configuration file settings to specify attributes to be added to the new credential.

Parent topic: Credential refresh concepts