On-behalf login identity propagation

The "on-behalf" ID propagator is useful for back-end applications only offering a login form to authenticate users (i.e. it does not support other ID propagation methods such as headers, cookies, Kerberos, OAuth, SAML, etc.).

Generally, the use of on-behalf-login is not recommended. It is only intended for legacy target applications that offer no other identity propagation mechanisms.

The on-behalf login feature is a ID propagator plugin that does the following:

  • Connect to back-end login page
  • Login using username and password (if necessary get login page with CSRF tokens first)
  • Extract the session cookie of the authenticated session
  • Pass the session cookie to Airlock Gateway (WAF) in such a way that subsequent calls to the back-end use the session.

Note that we use "access cookie" as synonym for "session cookie".

Concept and configuration

The "On Behalf Login Identity Propagator" plugin has the following properties:

  • Http Client: settings related to the HTTP(S) connection to the back-end
  • On Behalf Login Steps: settings related to the login process at the back-end
  • Cookie-Mappings: lists cookies to be processed and passed on to the Airlock Gateway (WAF)

The on-behalf-login process consists of a number of "On Behalf Login Steps" which are performed in sequence according to their ordering. Each of these steps exchanges a HTTP message (request&response) with the back-end application.