The AuthFilter can also be configured to work in an environment with an access management solution, such as the Sun Java System Access Manager. In these environments, Service Provider is not responsible for logging in the user because the access management solution is used to protect the end user pages.
The normal login process places the user name into the HTTP session. But when the normal process is not used, Service Provider requires the access management solution to put the username in a configured HTTP header before forwarding the HTTP request.
Two configuration attributes in the SPEUserPages configuration object control how the Service Provider end user pages work in this environment.
sso-assume-authenticated— If set to true, the AuthFilter will not redirect to a login page. However, for auditing purposes, the filter requires a user name to associate with each request. Normally, this username is stored on the HTTP session by the login pages. However, since the login pages are not used in an SSO environment, the username is pulled from an HTTP header attribute.
sso-user-name-http-header-attr— Specifies the name of the HTTP header attribute to use.
See SPEUserPages Configuration Object for more information.
For Sun Java System Access Manager, to ensure that the header is set, edit the AMAgent.properties file to include entries similar to the following:
com.sun.identity.agents.config.profile.attribute.fetch.mode = HTTP_HEADER com.sun.identity.agents.config.profile.attribute.mapping[uid] = HEADER_speuid
Assuming users login with the uid attribute, the Access Manager Policy Agent will store the uid value in the HEADER_idmuid HTTP header before forwarding requests to the Service Provider User Interface pages.