The "on-behalf" ID propagator is useful for back-end applications only offering a login form to authenticate users (i.e. it does not support other ID propagation methods such as headers, cookies, Kerberos, OAuth, SAML, etc.).
Generally, the use of on-behalf-login is not recommended. It is only intended for legacy target applications that offer no other identity propagation mechanisms.
The on-behalf login feature is a ID propagator plugin that does the following:
- ●Connect to back-end login page
- ●Login using username and password (if necessary get login page with CSRF tokens first)
- ●Extract the session cookie of the authenticated session
- ●Pass the session cookie to Airlock Gateway (WAF) in such a way that subsequent calls to the back-end use the session.
Note that we use "access cookie" as synonym for "session cookie".
Concept and configuration
The "On Behalf Login Identity Propagator" plugin has the following properties:
- ●Http Client: settings related to the HTTP(S) connection to the back-end
- ●On Behalf Login Steps: settings related to the login process at the back-end
- ●Cookie-Mappings: lists cookies to be processed and passed on to the Airlock Gateway (WAF)
The on-behalf-login process consists of a number of "On Behalf Login Steps" which are performed in sequence according to their ordering. Each of these steps exchanges a HTTP message (request&response) with the back-end application.