Forwarding of original client BA header information
Understand how original client basic authentication information is sent to the back-end server without interference and the conditions required for this implementation. The -b ignore option instructs WebSEAL to pass the original client basic authentication (BA) header straight to the back-end server without interference. WebSEAL can be configured to authenticate this BA client information. WebSEAL can also be configured to ignore the BA header that is supplied by the client and forward the header without modification to the back-end server. This implementation is not a true single signon mechanism, but rather a direct login to the third-party server, not apparent to WebSEAL.
The following conditions exist for this solution:
- The back-end server requires client identity information through
BA.
The back-end server sends a Basic Authentication challenge back to the client. The client responds with user name and password information the WebSEAL server passes through without modification.
- The back-end server maintains its own client-supplied passwords.
- WebSEAL is configured to supply the back-end server with the user name and password that is contained in the original client request.
- Because sensitive authentication information (user name and password) is passed across the junction, the security of the junction is important. An SSL junction is most appropriate.
Parent topic: Single Sign-on Solutions