Client identity information across junctions

Client identity information across junctions

A junction can be set up to specify client identity information in BA headers. The -b option allows four possible arguments: filter, supply, ignore, global signon. The -b option has an impact on the junction settings for mutual authentication and we must consider the correct combination of options.

-b supply

WebSEAL authentication with a BA header is not allowed with this option. This option uses the BA header for the original client user name and a dummy password.
WebSEAL authentication with a client certificate is allowed with this option.

-b ignore

WebSEAL authentication with a BA header is not allowed with this option. This option uses the BA header for the original client user name and password.
WebSEAL authentication with a client certificate is allowed with this option.

-b gso

WebSEAL authentication with a BA header is not allowed with this option. This option uses the BA header for user name and password information that is supplied by the GSO server.
WebSEAL authentication with a client certificate is allowed with this option.

-b filter

Internally, the -b filter option is used when WebSEAL authentication is set to use BA header information. The BA header is used for all subsequent HTTP transactions. To the back-end server, WebSEAL appears logged on always.
WebSEAL authentication with a client certificate is allowed with this option.
If the back-end server requires actual client identity (from the browser), the CGI variables HTTP_IV_USER, HTTP_IV_GROUP, and HTTP_IV_CREDS can be used. For scripts and servlets, use the corresponding ISAM HTTP headers: iv-user, iv-groups, iv-creds.

Parent topic: Single Sign-on Solutions