External authentication interface - authentication flags

Edit online

When an EAI application performs a successful authentication, it constructs and returns the response to a trigger URL. WebSEAL detects this authentication information in the trigger URL response. You can provide authentication flags with this response to help control the authentication processing by WebSEAL.

These authentication flags are contained in the HTTP header. Use the eai-flags-header stanza entry in the [eai] stanza of the WebSEAL configuration file to specify name of the flags header.

WebSEAL supports the following flags:

stream

By default, WebSEAL replaces the EAI-generated response with a WebSEAL-generated response for the authentication operation. You can override this default behavior and configure WebSEAL to stream the EAI-generated response back to the client. That is, after a successful EAI authentication, WebSEAL can strip the EAI-specific headers from the response and stream it back to the client.

To achieve this EAI response streaming, the flags header must contain the stream flag.

Example EAI flags header:

am-eai-flags: stream

The eai-flags-header configuration entry specifies the name of the HTTP header that contains the flags. For example:

[eai]
eai-flags-header = am-eai-flags

append-cred-attrs

When an extended attribute name matches an existing credential attribute, its value will be appended as an additional value.

replace-cred-attrs

When an extended attribute name matches an existing credential attribute, its value will replace the credential attribute value. If neither append-cred-attrs nor replace-cred-attrs is specified,then the eai-replace-cred-attributes value determines the extended attribute behaviour.

remember-session

Used to indicate that the session should be remembered. This will have the impact of creating and setting the configured 'remember-session-field'. The flag can optionally be qualified with the length of time (in minutes) that the token will be valid for. For example, 'remember-session:600'. If no expiry is specified, the token will never expire.

success-page-response

If the authentication is successful return the login success page instead of returning a 302.

max-concurrent-sessions

If the session is being stored in a remote session cache (either the DSC or Redis) this flag is used to define the maximum number of concurrent sessions which are allowed for this user. A value of 0 indicates that there is no limit, and a value of -1 indicates that the existing session will be displaced. If the user has reached their session limit the new session will not be established and an error page will be returned to the client. The format of the flag should be: 'max-concurrent-sessions:<limit>', for example: 'max-concurrent-sessions:5'.