WebSEAL External Authentication Interface

External Authentication Interface (EAI)

By Siva R Praturi

External authentication interface extends the functionality of WebSEAL authentication process. It allows third-party systems to supply an authenticated identity to WebSEAL. This technique enables additional functionality beyond what WebSEAL is designed to do.  EAI can be used with applications written in any language including Java.

EAI process flow

EAI is a mechanism to outsource the responsibility for authentication from WebSEAL to a third party product / application. The way it works is shown in the following diagram.

The diagram describes the following process flow: 

1.       The user attempts to connect to protected application on back-end server. Webseal redirects the request to EAI server, which may be on a separate computer from WebSEAL.

2.       WebSEAL allows unauthenticated access to the EAI server. This is necessary, because the user is not authenticated at this point.

3.       The user and the EAI server communicate. This communication can be as long and as involved as necessary.

4.       The user, based on an HTML page from the EAI server, retrieves a trigger URL, which is a URL that is configured in WebSEAL as one that might contain the EAI output.

5.       The EAI server sends back a reply, which has an HTTP header that contains the user identity and possibly additional information.

6.       WebSEAL creates the credential for the user.

7.       WebSEAL allows the user to access a back-end server.

  

Configuring WebSEAL for EAI

Add the authentication mechanism library

The list of libraries used for authentication is in the [authentication-mechanisms] stanza of the WebSEAL configuration file. To enable EAI, add the following line (all on one line):

• ext-auth-interface = /opt/pdwebrte/lib/libeaiauthn.so

The [eai] stanza

The eai-auth stanza entry in the [eai] stanza of the WebSEAL configuration file enables or disables external authentication interface. To use EAI for HTTP(S) connections, use this line to set the eai-auth value:

• eai-auth = http/https/both

You also must specify the name of the HTTP Headers to match those from your application

• eai-pac-header = am-eai-pac

• eai-pac-svc-header = am-eai-pac-svc

The [eai-trigger-urls] stanza

This stanza specifies the trigger URLs. A trigger URL is a URL whose response can include the EAI server’s reply in HTTP headers. Trigger URLs can also be specified using a wildcard pattern.

• trigger = /eailogin/cgi-bin/eai*.pl 

Server junction and access control list

WebSEAL sees the EAI server as another HTTP server. To allow users to access this HTTP server, WebSEAL requires a junction. Use the following pdadmin command to create the junction. Note that the command is all one line.

s t <instance>-webseald-<webseal computer> create -t tcp-h <eai computer> /eailogin

Users are unauthenticated while they are communicating with the EAI server. To allow unauthenticated access, run the following pdadmin commands. Ignore error message HPDAC0757E about ACL permissions when you get it.

acl create eaiacl

acl modify eaiacl set any-other Trx

acl modify eaiacl set unauthenticated Trx

acl attach /WebSEAL/<webseal computer>-<instance>/eailogin eaiacl