EAI certificate authentication - web reverse proxy

An external application can also be used to authenticate the client certificate. This external application uses the EAI protocol to provide the authentication data that WebSEAL uses when generating the user credential.

The following diagram highlights the process flow for the authentication operation: EAI certificate authentication process flow

  1. A request is made for a resource which is protected by WebSEAL. WebSEAL negotiates the client certificate based on the setting of the accept-client-certs configuration entry.

  2. WebSEAL creates a sub-request, which is then sent to the configured EAI application. The URI for the EAI application is configured through the eai-uri configuration entry.

  3. The EAI application authenticates the user (based on the client certificate data) and provides the necessary EAI headers so that WebSEAL is able to correctly construct the credential for the user. If the authentication fails, the EAI should return no authentication data, which indicates to WebSEAL that an authentication error has occurred. At this point WebSEAL will generate an authentication error page and return this to the client.

  4. WebSEAL uses the authentication data to build a credential for the user.

  5. Now the user has been correctly authenticated, WebSEAL continues to process the original request.

  6. The response to the original request is passed back to the client.

Parent topic: Configuration of the certificate authentication mechanism