Session information and HTTP request headers
The OpenToken IIS Agent uses HTTP request headers to provide session information and user attributes from the OpenToken Adapter to the protected application.
This allows the application to use the information to support various features, such as making authorization decisions or providing personalized content. The application has access to the following session and attribute information:
- Attributes from the OpenToken Adapter contract
-
By default, these include the subject (
SUBJECT) and attributes specified on the Extended Contract tab of the adapter instance configuration. Only the attributes fulfilled at runtime are available to the application. Attributes with aNULLvalue are not included in the OpenToken. NOT-ON-OR-AFTER-
The time the token expires.
RENEW-UNTIL-
The time the session expires. Tokens can’t be renewed past this time.
AUTH_NOT-BEFORE-
The time the session began.
AUTHNCONTEXT-
Information from the SAML assertion that describes how the user was authenticated by the identity provider (IdP). You can find a complete description in the authentication context section in Terminology in the PingFederate documentation.
For security reasons, each HTTP request header is prepended with a specific (configurable) prefix. The OpenToken IIS Agent always removes and rewrites these prefixed request headers for each request.
If applications protected by the OpenToken IIS Agent can’t be modified to accept headers with this prefix, you can Configure the OpenToken IIS Agent to omit the HTTP header prefix.