External authentication interface credential replacement

WebSEAL allows a previously authenticated user to request authentication again through the external authentication interface trigger URL and establish a new session. WebSEAL deletes the old session cache entry, builds a new session cache entry containing a new credential for that user (credential replacement), and provides the user with a new session key.

Operation conditions for external authentication interface credential replacement:

• If a trigger URL is used by a previously authenticated user to make a request, that request is allowed to pass through to the external authentication application. In earlier versions of the external authentication interface, a previously authenticated user was forced to log out and log in again when making a request using a trigger URL.

• If the external authentication interface response to the user request contains authentication data, and the user's session cache entry is flagged for authentication strength policy (step-up) or reauthentication, then WebSEAL enforces the step-up or reauthentication process. The existing session cache (and credential) for the user is not replaced.

• If the external authentication interface response to the user request contains authentication data, and the user's cache entry is not flagged as step-up or reauthentication, then:
  • The existing session cache entry is deleted and replaced with a new entry containing a new credential for the user.

  • If the user uses session cookies to maintain session state, a new session key is created and returned to the user.

  • If the user uses SSL session IDs or HTTP headers to maintain session state, the existing session key is reused.

  • If a failover cookie is used, a new failover cookie is created and returned to the user.

  • If user session IDs are used, the user session ID mapping to the WebSEAL session ID is updated.

  • If an LTPA cookie is used, a new LTPA cookie is created and returned to the user.

The external authentication interface credential replace function is important to support, for example, the account-linking features the Liberty federate function provides. A Federation Runtime environment requires the ability to reauthenticate a previously authenticated user to achieve the Liberty federate function (Liberty Alliance Project). A federate operation allows a local account at a service provider to be linked with an account at an identity provider.

To achieve this, a user must first sign into the user's service provider and consent to linking the user's account with the identity provider. Once the federate operation has occurred, the browser focus returns to the service provider where the user's credential is updated with the new credential generated by the identity provider.

Parent topic: External authentication interface configuration