On-behalf login identity propagation

The "on-behalf" ID propagator is useful for back-end applications only offering a login form to authenticate users (i.e. it does not support other ID propagation methods such as headers, cookies, Kerberos, OAuth, SAML, etc.).

Generally, the use of on-behalf-login is not recommended. It is only intended for legacy target applications that offer no other identity propagation mechanisms.

The on-behalf login feature is a ID propagator plugin that does the following:

Connect to back-end login page
Login using username and password (if necessary get login page with CSRF tokens first)
Extract the session cookie of the authenticated session
Pass the session cookie to Airlock Gateway (WAF) in such a way that subsequent calls to the back-end use the session.

Note that we use "access cookie" as synonym for "session cookie".

Concept and configuration

The "On Behalf Login Identity Propagator" plugin has the following properties:

Http Client: settings related to the HTTP(S) connection to the back-end
On Behalf Login Steps: settings related to the login process at the back-end
Cookie-Mappings: lists cookies to be processed and passed on to the Airlock Gateway (WAF)

The on-behalf-login process consists of a number of "On Behalf Login Steps" which are performed in sequence according to their ordering. Each of these steps exchanges a HTTP message (request&response) with the back-end application.

Chapter content

17.4.3.5.2.1. Sharing information among steps

17.4.3.5.2.2. Using passwords

17.4.3.5.2.3. Tipps and tricks