External authentication interface HTTP header reference

Table 1. PAC headers
Description	Stanza Entry	Default Header Name	Required	Notes
PAC	`[eai] eai-pac-header`	`am-eai-pac`	yes	Authentication data in PAC format. Direct conversion to credential. This header takes precedence over the user identity header. Place this header before others in the response headers.
PAC Service ID	`[eai] eai-pac-svc-header`	`am-eai-pac-svc`	no	The service ID that is used to convert the PAC into a credential. If no service ID is specified the default PAC service will be used.

Table 2. User identity headers
Description	Stanza Entry	Default Header Name	Required	Notes
User Identity	`[eai] eai-user-id-header`	`am-eai-user-id`	yes	The ID of the user to generate the credential for. This header must precede all others in the HTTP response.
Authentication Level	`[eai] eai-auth-level-header`	`am-eai-auth-level`	no	The authentication strength level for the generated credential. If no value is specified, a default value of 1 is used.
Extended Attribute List	`[eai] eai-xattrs-header`	`am-eai-xattrs`	no	A comma-delimited list of HTTP header names to be added to the credential as extended attributes. If attributes of the same name are specified by a custom authentication module build with the external authentication C API, the attributes from the custom module take precedence over the HTTP header attributes.
External user identity	`[eai] eai-ext-user-id-header`	`am-eai-ext-user-id`	no	Specifies the name of the header that contains the ID of the external (not in the Verify Identity Access user registry) user to use when creating a credential.
External group identity	`[eai] eai-ext-user-groups-header`	`am-eai-ext-user-groups`	no	Specifies the name of the header that contains the group or groups an external user is to be considered a member of when generating a credential. This entry is only used when the `eai-ext-user-id-header` stanza entry's value is provided.

Table 3. Session identifier headers
Description	Stanza Entry	Default Header Name	Required	Notes
Session Identifier	`[eai] eai-session-id-header`	`am-eai-session-id`	yes	The identifier of the distributed session managed by the Session Management Server.

Table 4. Common headers
Description	Stanza Entry	Default Header Name	Required	Notes
Redirect URL	`[eai] eai-redir-url-header`	`am-eai-redir-url`	no	Only used if WebSEAL does not have a cached request or when automatic redirection is not enabled. Specifies the URI that the client is redirected to upon successful authentication. If no URI is specified, the "login-success" page is returned.
Flags header	`[eai] eai-flags-header`	`am-eai-flags`	no	The only supported flag is stream. `am-eai-flags: stream`
Error text	`[eai] eai-error-text-header`	`am-eai-error-text`	no	Specifies the name of a header that contains the error message that is inserted into WebSEAL generated error pages by using the %ERROR_TEXT% macro.

EAI Server Task

The am-eai-server-task HTTP header, when included in an EAI response, contains a specific task that will be performed by WebSEAL. The supported tasks include the following.

Table 5. Supported server tasks
Value	Description
`logout session`	Logout the current user session.
`force-reauthenticate session <user session id>`	Require a user session to be reauthenticated the next time that the session, which is identified by the supplied session identifier, is accessed.
`terminate session <user session id>`	Terminate the user session that is associated with the provided session identifier.
`terminate all_sessions <username>`	Terminate all user sessions that are owned by the specified user.