HTTP Header Authentication

Edit online

About this task

My webMethods Server can be configured to accept External HTTP authentication credentials from third-party security and access control products (such as Computer Associates, Oblix, and so forth). These credentials are case sensitive, depending on platform and web server and are most likely to be headers such as sm_user or SM_USER.

When you configure and set up HTTP header authentication within My webMethods Server, the server uses credentials from a third-party authentication engine. Typically, these third parties use a security agent to intercept the request prior its getting to the server. The basic flow of events in this request is:

Procedure

  1. The user attempts to go to a server resource.
  2. Prior to connecting to the server, if the third-party security agent does not see the proper credentials, the agent redirects the user to a mechanism that gathers credentials.
  3. The user provides the credentials and is then redirected back to the server resource.
  4. The server reads the appropriate HTTP header and maps the user appropriately.
    To configure this interaction between the server and the third-party security agent, you need to take these actions.
  5. After My webMethods Server installation, configure the third-party product to protect the server, which typically involves creating a policy that protects the server URL.
  6. Verify that the server and the third-party security product are configured to look at the same directory store. For more information on directory services, see Managing External Data Sources.
  7. Configure the server to look for the right HTTP header. For more information, see Configuring External Configuration Credentials.
    Note: In the case of SiteMinder from Computer Associates, it is also necessary to specify the Logout URI in SiteMinder. In the SiteMinder Administrator applet, modify the logoutURI attribute to be '/?method=logout' (without the quotes)
    Important: The HTTP Header Authentication Administration page should only be enabled if you are using a third-party security provider. After the page is enabled, the server acts as though all users have been authenticated.