HTTP header names for authentication data
You must specify the names of the HTTP headers that contain the authentication data returned from the external authentication application.
There are four categories of HTTP headers that hold authentication data:
- Privilege Attribute Certificate (PAC) format
The PAC is an ASN.1 data structure used to express identity information. Authentication data returned to WebSEAL in PAC format can be directly converted to a credential.
- WebSEAL user identity structure
The WebSEAL user identity structure is the same structure generated by WebSEAL's default built-in authentication modules. When the user identity format type is used, the information is processed by the eaiauthn authentication module and a credential is built by the Security Access Manager authorization API.
- Distributed session cache session identifier
The session identifier is for a distributed session that is managed by the distributed session cache. See Sharing sessions across multiple DNS domains.
- WebSEAL external user identify structure
Security Access Manager can accept identity information from the EAI for external users; that is, users that only exist in a registry external to Security Access Manager. The eai-xattrs-header entry also applies to external users. See External authentication interface overview. For more information about the [eai] stanza, see the Web Reverse Proxy Stanza Reference topics in the IBM Knowledge Center.
- Common
The common header category holds additional information and can be used with either the PAC or user identity formats.
Complete details about these special headers can be found in the External authentication interface HTTP header reference.
Use the [eai] stanza of the WebSEAL configuration file to specify the names of the HTTP headers that contain the authentication data returned from the external authentication interface server. The header names can be customized. The custom external authentication interface authentication module must be written to use the header names as configured.
The following examples show the default header names used in the WebSEAL configuration file:
PAC headers:
[eai]
eai-pac-header = am-eai-pac
eai-pac-svc-header = am-eai-pac-svc
User identity headers:
[eai]
eai-user-id-header = am-eai-user-id
eai-auth-level-header = am-eai-auth-level
eai-xattrs-header = am-eai-xattrs
External user identity headers:
[eai]
eai-ext-user-id-header = am-eai-ext-user-id
eai-ext-user-groups-header = am-eai-ext-user-groups
Distributed session cache session identifier:
[eai]
eai-session-id-header = am-eai-session-id
Common headers:
[eai]
eai-flags-header = am-eai-flags
eai-redir-url-header = am-eai-redir-url
For more information about using the eai-flags-header common header, see External authentication interface - authentication flags
For more information about using the eai-redir-url-header common header, see External authentication interface-specified redirection.