Custom header in Openam web agent

This topic has 4 replies, 2 voices, and was last updated 5 years, 9 months ago by chinmaym.

  • Author
  • #14514

    I am using Openam Apache web agent 2.2 to implement SSO. I want to inject some custom headers using the Profile Attributes Processing option. I have set the Profile Attribute Fetch Mode as HTTP_HEADER and I have populated the Profile Attribute Map as [uid]=username.
    But when I fire the URL, the custom request header is not being set. I can’t view it using developer options and I can’t access it using code in my application.
    If however I change the HTTP_HEADER to HTTP_COOKIE, I get the value and SSO is completed.
    Can anyone suggest what the problem is?

    • This topic was modified 5 years, 10 months ago by Peter Major.
     Peter Major

    Headers set by the agent will NOT be accessible by browsers, you should only see those headers on the server side.

    Also, are you sure you are using agent 2.2? That is a *very* outdated version of the agent, did you mean that you are using some different version of the agent on apache 2.2 instead?


    The headers are not being accessible at the server side. That is the problem. If I use the HTTP_COOKIE option, then I can see them in the browser and also at the server side.
    Also, even if I manage to set the headers correctly, will they persist after a redirect?
    Suppose, after OpenAM authentication, I get to a page where there is redirect option. Even if the headers are accessible on the first page, will they persist after I click on the redirect URL?

    And sorry about the version. I am using version 4.0.0 on Apache 2.2

     Peter Major

    Agents are server side modules, so when you configure HTTP_HEADER mapping, those headers will be set up on the server side only and for each incoming request. The attributes are normally only retrieved for enforced URIs, but there is a setting that enables retrieval of profile attributes for not enforced URIs as well.

    Because of the above, if you are trying to redirect the user to a different site, then such headers will not be available there (since the headers are only available as *request* headers on the *server* side). If however the site you redirect to is also protected by a web agent, the attributes can be made available similarly using the attribute mapping settings.


    Ok. Thanks for the reply. I will try out the second method and see what happens.

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?