HTTP header names for authentication data

Edit online

You must specify the names of the HTTP headers that contain the authentication data returned from the external authentication application.

There are four categories of HTTP headers that hold authentication data:

  • Privilege Attribute Certificate (PAC) format

    The PAC is an ASN.1 data structure used to express identity information. Authentication data returned to WebSEAL in PAC format can be directly converted to a credential.

  • WebSEAL user identity structure

    The WebSEAL user identity structure is the same structure generated by WebSEAL's default built-in authentication modules. When the user identity format type is used, the information is processed by the eaiauthn authentication module and a credential is built by the Verify Identity Access authorization API.

  • Distributed session cache session identifier

    The session identifier is for a distributed session that is managed by the distributed session cache. See Sharing sessions across multiple DNS domains.

  • WebSEAL external user identify structure

    Verify Identity Access can accept identity information from the EAI for external users; that is, users that only exist in a registry external to Verify Identity Access. The eai-xattrs-header entry also applies to external users. See External authentication interface overview. For more information about the [eai] stanza, see the Web Reverse Proxy Stanza Reference topics in the IBM Knowledge Center.

  • Common

    The common header category holds additional information and can be used with either the PAC or user identity formats.

Complete details about these special headers can be found in the External authentication interface HTTP header reference.

Use the [eai] stanza of the WebSEAL configuration file to specify the names of the HTTP headers that contain the authentication data returned from the external authentication interface server. The header names can be customized. The custom external authentication interface authentication module must be written to use the header names as configured.

The following examples show the default header names used in the WebSEAL configuration file:

PAC headers:

[eai]
eai-pac-header = am-eai-pac
eai-pac-svc-header = am-eai-pac-svc

User identity headers:

[eai]
eai-user-id-header = am-eai-user-id
eai-auth-level-header = am-eai-auth-level
eai-xattrs-header = am-eai-xattrs

External user identity headers:

[eai]
eai-ext-user-id-header = am-eai-ext-user-id
eai-ext-user-groups-header = am-eai-ext-user-groups

Distributed session cache session identifier:

[eai]
eai-session-id-header = am-eai-session-id

Common headers:

[eai]
eai-flags-header = am-eai-flags
eai-redir-url-header = am-eai-redir-url

For more information about using the eai-flags-header common header, see External authentication interface - authentication flags

For more information about using the eai-redir-url-header common header, see External authentication interface-specified redirection.