EAI applications can re-authenticate a user by returning new authentication information for a previously authenticated session. By default, WebSEAL does not validate this new authentication information. However, you can configure WebSEAL to verify that the user identity does not change during subsequent EAI authentications.
WebSEAL uses the principal name (azn_cred_principal_name attribute) to validate the user identity. The principal name that is contained in the newly constructed credential is compared with the principal name contained in the existing credential. If the two names differ, the validation process fails and WebSEAL returns an authentication error to the user.
To validate user identities during subsequent EAI authentication operations, set the eai-verify-user-identity stanza entry to yes. This entry is located in the [eai] stanza of the WebSEAL configuration file:
[eai]
eai-verify-user-identity = yes