Propagate Single Sign-on Using ClientValuePropagatingLoginModule

Applications can use session personalization values or HTTP headers and cookies to pass data that should be used for single sign-on into the Enterprise Information System (EIS) backend. The ClientValuePropagatingLoginModule enables administrators to add client values as named credentials, name principals, and role principals to the authenticated subject.

Adding client values as named credentials allows them to be used for single sign-on. When authenticating the user using a token from the client session, if the corresponding login module is unable to retrieve the user name from the token and add it as a principal for use in impersonation checking, the administrator can configure this provider to add the appropriate header value from the client session as a principal to the authenticated subject.

If there are session personalization values that an application is using as single sign-on data, the values are available to the Web server by using:
Note: Rogue applications could intentionally insert HTTP headers with arbitrary values to obtain principals, roles, or credentials that they otherwise would not receive using the other login modules. Use this login module in an environment where you know what the Network Edge behavior and have ensured that applications cannot bypass or override that environment.

To avoid a client setting the client personalization key or HTTP header/cookie value to workaround the impersonation check, only use this configuration when the SSO framework requires it and the deployed applications ensure that the client cannot manipulate the headers set into the session. HTTP headers set by the network edge take precedence over the client personalization key. For more information, see Impersonation Prevention Using the checkImpersonation Property.

This login module does not authenticate the subject but adds the NamedCredential if the user is successfully authenticated by other login modules. It always returns “false” from the login method and should always be configured with the controlFlag set to “optional” to avoid affecting the outcome of authentication process. See controlFlag Attribute Values.

Configuration Options for ClientValuePropagatingLoginModule
Configuration Option Default Value Description
ClientHttpValuesAsNamedCredentials None Comma separated list of mappings that specify the names of the client values and the name of the credential to add them. For example:
httpHeaderName:credentialName1
httpCookieName:credentialName2
personalizationParameterName1:credentialName3
ClientHttpValuesAsNamePrincipals None Comma separated list of values from the client HTTP map that should be added as name principals after successful authentication.
ClientHttpValuesAsRolePrincipals None Comma separated list of values from the client HTTP map that should be added as role principals after successful authentication.