Applications can use session personalization values or HTTP headers and cookies to pass data that should be used for single sign-on into the Enterprise Information System (EIS) backend. The ClientValuePropagatingLoginModule enables administrators to add client values as named credentials, name principals, and role principals to the authenticated subject.
Adding client values as named credentials allows them to be used for single sign-on. When authenticating the user using a token from the client session, if the corresponding login module is unable to retrieve the user name from the token and add it as a principal for use in impersonation checking, the administrator can configure this provider to add the appropriate header value from the client session as a principal to the authenticated subject.
To avoid a client setting the client personalization key or HTTP header/cookie value to workaround the impersonation check, only use this configuration when the SSO framework requires it and the deployed applications ensure that the client cannot manipulate the headers set into the session. HTTP headers set by the network edge take precedence over the client personalization key. For more information, see Impersonation Prevention Using the checkImpersonation Property.
This login module does not authenticate the subject but adds the NamedCredential if the user is successfully authenticated by other login modules. It always returns “false” from the login method and should always be configured with the controlFlag set to “optional” to avoid affecting the outcome of authentication process. See controlFlag Attribute Values.
Configuration Option | Default Value | Description |
---|---|---|
ClientHttpValuesAsNamedCredentials | None | Comma separated list of mappings that specify the
names of the client values and the name of the credential to add them.
For
example:httpHeaderName:credentialName1 httpCookieName:credentialName2 personalizationParameterName1:credentialName3 |
ClientHttpValuesAsNamePrincipals | None | Comma separated list of values from the client HTTP map that should be added as name principals after successful authentication. |
ClientHttpValuesAsRolePrincipals | None | Comma separated list of values from the client HTTP map that should be added as role principals after successful authentication. |