Propagate Single Sign-On Using Populate JAAS Subject From Client

Applications use HTTP headers and cookies to pass data that is used for single sign-on to the back end. The Populate JAAS Subject From Client authentication providerenables administrators to add named credentials, name principals, and role principals to the authenticated subject.

Adding client values as named credentials allows them to be used for single sign-on. When authenticating the user using a token from the client, if the corresponding authentication provider cannot retrieve the user name from the token and add it as a principal for use in impersonation checking, the administrator can configure this provider to add the appropriate header value from the client session as a principal to the authenticated subject.

To prevent a client setting an HTTP header/cookie value to work around the impersonation check, use this configuration only when the SSO framework requires it, and when the deployed applications ensure that the client cannot manipulate the headers set into the session. HTTP headers that are set by the network edge take precedence.

This authentication provider does not authenticate the subject but adds the NamedCredential if the user is successfully authenticated by other authentication providers. It always returns false from the login method and should always be configured with the controlFlag set to “optional” to avoid affecting the outcome of the authentication process.