Extracting authentication data from special HTTP headers

WebSEAL examines a response for special headers when a trigger URL is detected in the corresponding request.

The special HTTP headers contain authentication data provided by the custom external authentication application. The presence of either the PAC header or the user identity header causes WebSEAL to extract the authentication data from the headers and build a credential for the user. The session identifier header causes WebSEAL to retrieve the specified session from the distributed session cache.

WebSEAL follows a specific sequence for processing the special HTTP authentication headers:

Steps

  1. If the session identifier header is present, it takes precedence over the other authentication headers.

  2. If both headers are present, the PAC data takes precedence and any user identity data is ignored.

  3. If neither header is present, the response is streamed back to the client. This behavior also allows the external authentication application to perform authentication error handling.

  4. If either the PAC or user identity header is present, but the header value is NULL or corrupted, an error is returned. Such an error can occur if an external authentication interface server is incorrectly configured.

Parent topic: External authentication interface configuration