Show TOC

Propagate Single Sign-On Using Populate JAAS Subject From ClientLocate this document in the navigation structure

Applications use HTTP headers and cookies to pass data that is used for single sign-on to the back end. The Populate JAAS Subject From Client authentication providerenables administrators to add named credentials, name principals, and role principals to the authenticated subject.

Adding client values as named credentials allows them to be used for single sign-on. When authenticating the user using a token from the client, if the corresponding authentication provider cannot retrieve the user name from the token and add it as a principal for use in impersonation checking, the administrator can configure this provider to add the appropriate header value from the client session as a principal to the authenticated subject.

Note Rogue applications can intentionally insert HTTP headers with arbitrary values to obtain principals, roles, or credentials that they otherwise would not receive using other authentication providers. Use this authentication provider in an environment in which you know the network edge behavior, and have ensured that applications cannot bypass or override the environment.

To prevent a client setting an HTTP header/cookie value to work around the impersonation check, use this configuration only when the SSO framework requires it, and when the deployed applications ensure that the client cannot manipulate the headers set into the session. HTTP headers that are set by the network edge take precedence.

This authentication provider does not authenticate the subject but adds the NamedCredential if the user is successfully authenticated by other authentication providers. It always returns false from the login method and should always be configured with the controlFlag set to “optional” to avoid affecting the outcome of the authentication process.