Skip to Content

Security Provider - Web Access Management

Web Access Management (WAM) is a form of Single Sign-on (SSO) authentication. WAM Identity Providers (IdPs) typically modify the HTTP request, either via a proxy server or an agent installed on the web server. The modified request includes additional headers which identify the user.

Configuration

WAM authentication must be explicitly enabled and configured for the host environment.

Parameters

The WAM security provider does not define any parameters: configuration takes place via claims. Security administrators define the supported claim types for the WAM security provider. Each claim type maps a well-known HTTP header to a claim usage.

For instance, if the WAM IdP stamps the request with an HTTP header named X-IdP-User, the administrator must define a corresponding claim type named X-IdP-User. Assuming that the header value corresponds to the principal's user name, the claim type purpose should be set to Name. This allows Vinyl to map an HTTP header value to a security provider identity.

Additional Information

Claim types are case-insensitive.

On some platforms, HTTP headers are transformed. For instance, an HTTP header named X-Example becomes HTTP_X_Example. Vinyl does not transform headers: when defining claim types, specify the HTTP header name in its original form.

When a user has been authenticated by an WAM security provider, the Sign Out button will not be available. WAM authentication is inherently tied to the client's connection.

Troubleshooting

During the authentication process, the WAM security provider will log all HTTP headers with a Debug severity. The following is an example log message.

2018-01-29 16:23:38.9935|Debug|Web|13820|WamProviderMiddleware 0 HTTP request headers:
  Connection: keep-alive
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
  Accept-Encoding: gzip, deflate, br
  Accept-Language: en-US,en;q=0.9
  Host: localhost:44301
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36
  Upgrade-Insecure-Requests: 1
  X-IdP-User: arthur.dent
  X-IdP-Group: Hitchhiker

As noted, this message is only logged when authenticating the client. If the client is already authenticated, nothing will be logged.