Passing of session cookies to junctioned portal servers
A Web portal is a server that offers a broad array of personalized resources and services. The -k junction option allows us to send the ISAM session cookie (originally established between the client and WebSEAL) to a back-end portal server.
When a client requests a personal resource list from the portal server, the portal server builds this list by accessing resources located on other supporting application servers, also protected by WebSEAL. The session cookie allows the portal server to perform seamless single signon to these application servers, on behalf of the client.
You include the -k option, without arguments, when creating the junction between WebSEAL and the back-end portal server.
The -k option is also supported on virtual host junctions.
The WebSEAL configuration file includes options that provide some control over how session cookies are handled during step-up authentication. The verify-step-up-user option in the [step-up] stanza determines whether the identity of the user performing the step-up operation must match the identity of the user that performed the previous authentication. If this option is set to yes, then the retain-stepup-session option can be used to determine whether the session cookie issued during the step-up operation can be reused or if a new cookie must be issued. If verify-step-up-user is set to no, then a new cookie will always be issued after step-up.
The send-constant-sess option in the [session] stanza enhances the ability to track authenticated sessions. Setting this option to yes enables WebSEAL to send a separate cookie to the junctioned server in addition to the session cookie. The value of this cookie remains constant across a single session, regardless of Whether the session key changes. The name of the cookie is configurable. For more details regarding the send-constant-sess option, send-constant-sess. Conditions to consider for a portal server configuration:
- For access using user name and password, forms authentication is required. Do not use basic authentication (BA).
- The value of the ssl-id-sessions stanza entry in the [session] stanza of the WebSEAL configuration files must be set to no. For HTTPS communication, this setting forces the use of a session cookie, instead of the SSL session ID, to maintain session state.
- If the portal server is behind a front-end WebSEAL cluster, enable the failover type cookie. The failover cookie contains encrypted credential information that allows authentication to succeed with any replicated WebSEAL server that processes the request.
- The retain-stepup-session option in the [step-up] stanza is only in effect if the verify-step-up-user option is set to yes.
- If WebSEAL is configured to use the distributed session cache for session storage, the verify-step-up-user option must be set to yes to enable step-up operations. If this option is set to no, then WebSEAL does not update the distributed session cache when user identification changes during step-up authentication.
For information about step-up authentication, see Authentication strength concepts.
Parent topic: Advanced junction configuration
Related concepts
- Mutually authenticated SSL junctions
- TCP and SSL proxy junctions
- WebSEAL-to-WebSEAL junctions over SSL
- Stateful junctions
- Use of /pkmslogout with virtual host junctions
- Junction throttling
- Management of cookies
- Support for URLs as not case-sensitive
- Junctions to Windows file systems
- Standard junctions to virtual hosts
- UTF-8 encoding for HTTP header data
- WebSockets
Related tasks