Secret token validation

You can configure WebSEAL to require that certain management operation requests include a secret token. WebSEAL uses the secret token in the received request to validate its authenticity.

Secret token validation affects the following WebSEAL management pages:
  • /pkmslogin.form
  • /pkmslogout
  • /pkmslogout-nomas
  • /pkmssu.form
  • /pkmsskip
  • /pkmsdisplace
  • /pkmspaswd.form
  • /pkmsoidc

Use the enable-secret-token-validation configuration entry in the [acnt-mgt] stanza to enable secret token validation. By default, enable-secret-token-validation is set to false, which disables secret token validation.

If you want WebSEAL to use secret token validation, set this entry to true:

enable-secret-token-validation = true

When secret token validation is enabled, WebSEAL adds a token to each session and validates the "token" query argument for these account management requests. For example, the request to /pkmslogout changes to pkmslogout?token=<value>, where <value> is the unique session token.

Note: This setting modifies the URLs for these WebSEAL management pages. Each of the affected management requests must contain a "token" argument with the current session token. For example, /pkmslogout?token=a861582a-c445-4462-94c9-b1074e135b9f.

If secret token validation is enabled and the token argument is missing from the request or does not match the real session token, WebSEAL returns a "400 Bad Request" error page.

If you are using secret token validation then WebSEAL includes the session token as the tagvalue_session_index attribute in the user credential. WebSEAL provides a CREDATTR macro that you can use to access a credential attribute and insert it into the following locations:

To reference the secret token, use the CREDATTR{tagvalue_session_index} macro.

Note: Secret token validation does not affect the CDSSO or eCSSO functionality in WebSEAL.