HTTP header names for authentication data

HTTP header names for authentication data

Specify the names of the HTTP headers that contain the authentication data returned from the external authentication application. There are four categories of HTTP headers that hold authentication data:

Privilege Attribute Certificate (PAC) format The PAC is an ASN.1 data structure used to express identity information. Authentication data returned to WebSEAL in PAC format can be directly converted to a credential.
WebSEAL user identity structure Same structure generated by WebSEAL's default built-in authentication modules. When the user identity format type is used, the information is processed by the eaiauthn authentication module and a credential is built by the ISAM authorization API.
Distributed session cache session identifier Session identifier for a distributed session cache.
WebSEAL external user identify structure ISAM can accept identity information from the EAI for external users; that is, users that only exist in a registry external to ISAM. The eai-xattrs-header entry also applies to external users. See:

External authentication interface overview
web reverse proxy Stanza Reference

Common The common header category holds additional information and can be used with either the PAC or user identity formats.

Details about these special headers can be found in the External authentication interface HTTP header reference.
Use the [eai] stanza of the WebSEAL configuration file to specify the names of the HTTP headers that contain the authentication data returned from the external authentication interface server. The header names can be customized. The custom external authentication interface authentication module must be written to use the header names as configured. The following examples show the default header names used in the WebSEAL configuration file:
PAC headers:
[eai]
eai-pac-header = am-eai-pac
eai-pac-svc-header = am-eai-pac-svc

User identity headers:
[eai]
eai-user-id-header = am-eai-user-id
eai-auth-level-header = am-eai-auth-level
eai-xattrs-header = am-eai-xattrs

External user identity headers:
[eai]
eai-ext-user-id-header = am-eai-ext-user-id
eai-ext-user-groups-header = am-eai-ext-user-groups

Distributed session cache session identifier:
[eai]
eai-session-id-header = am-eai-session-id

Common headers:
[eai]
eai-flags-header = am-eai-flags
eai-redir-url-header = am-eai-redir-url

See:

External authentication interface - authentication flags
External authentication interface-specified redirection

Parent topic: External authentication interface configuration

Privilege Attribute Certificate (PAC) format	The PAC is an ASN.1 data structure used to express identity information. Authentication data returned to WebSEAL in PAC format can be directly converted to a credential.
WebSEAL user identity structure	Same structure generated by WebSEAL's default built-in authentication modules. When the user identity format type is used, the information is processed by the eaiauthn authentication module and a credential is built by the ISAM authorization API.
Distributed session cache session identifier	Session identifier for a distributed session cache.
WebSEAL external user identify structure	ISAM can accept identity information from the EAI for external users; that is, users that only exist in a registry external to ISAM. The eai-xattrs-header entry also applies to external users. See: External authentication interface overview web reverse proxy Stanza Reference
Common	The common header category holds additional information and can be used with either the PAC or user identity formats.