Container-based Authentication

This topic applies to XperienCentral versions 10.10.0 and higher.


XperienCentral supports the trusting of the authentication of a backend web container. This means that a user who is successfully logged in on the backend container is trusted and may therefore access XperienCentral without having to supply a username/password combination. XperienCentral supports container-based authentication for all the supported application servers (Apache Tomcat, JBoss, and IBM WebSphere).

In addition to automatically logging a user in, their role (and therefore their permissions) can also be retrieved and passed on to XperienCentral. You also have the option of dynamically creating a new user in XperienCentral if/when a user unknown to XperienCentral logs in. In that case, the user is created in XperienCentral and the role(s) which are assigned in the container can be applied.


The mechanism described in this topic is not “single sign-on”. What this mechanism does is delegate the authentication of users to a backend container.

For Developers: An illustrative example is provided in Backend Container Based Authentication. You may need to provide a valve, filter or another plugin in order to make use of a 3rd party authentication source. Such a component should make HttpServletRequest#getRemoteUser and HttpServletRequest#isUserInRole behave accordingly.


Backend SSO for AD FS can also be configured and used in conjunction with the functionality described here. This sits on top of the XperienCentral backend container-based authentication. See Logging in to XperienCentral for complete information on logging in to XperienCentral.

In This Topic



Enabling Backend Container Authorization

To enable XperienCentral for backend container authorization, follow these steps:

  1. Navigate to the XperienCentral Setup Tool (<xperiencentral-root>/web/setup).
  2. Navigate to the section website_settings.
  3. Select the property enable_backend_container_filter.
  4. Scroll to the bottom of the Setup Tool dialog box and click [Save Changes].


Back to top



Enabling Dynamic User Creation

XperienCentral makes it possible to create new users when delegating authentication from the web container if they don’t already exist. When an unknown user is authenticated on the web container and accesses XperienCentral for the first time, their username will be added to XperienCentral if enable_backend_container_filter is active, and  'container managed' as access method is added

To enable dynamic user creation, follow these steps:

  1. Navigate to the XperienCentral Setup Tool (<xperiencentral-root>/web/setup).
  2. Navigate to the section website_settings.
  3. Select the property enable_dynamic_user_creation.
  4. Scroll to the bottom of the Setup Tool dialog box and click [Save Changes].


The mechanism described in this topic only creates a user, thus while the user is allowed access to XperienCentral, he or she may not be able to start editing.


Multiple Websites

When XperienCentral receives a log in request from the web container, the filtering mechanism only applies to one specific website (based on the URL). If your XperienCentral deployment contains multiple websites, the new user will only be created in the channel into which they log in. Because an XperienCentral installation cannot contain multiple users with the same username, if a user exists in a website other than the one being accessed and the enable_dynamic_user_creation setting is active, no new user is created, but the existing user will be made available to the channel being logged into.


In a clustered XperienCentral environment with one or more read-only nodes, a user must have first logged in to the read/write node and have been dynamically created on it before they can subsequently log in to a read-only node. This is because no users can be dynamically created on read-only nodes in a clustered environment.



Back to top



Enabling External Role Synchronization

Users in XperienCentral are assigned one or more roles and each role itself has permissions assigned to it that determine what actions the user has the right to perform. When you enable external role synchronization, when a user is logged in to XperienCentral from a web container and enable_dynamic_user_creation is active, their role(s) are retrieved and are assigned to the user in XperienCentral.

To enable external role synchronization, follow these steps:

  1. Navigate to the XperienCentral Setup Tool (<xperiencentral-root>/web/setup).
  2. Navigate to the section website_settings.
  3. Select the property enable_external_role_synchronization.
  4. Click [Save Changes].


Assigning Roles to Users in the Backend Container

Depending on how you implement your backend container solution, how you assign roles to users can be done in any number of ways. What is naturally important is that you do assign roles to users and that the roles you assign can be matched to existing roles in XperienCentral. It is not possible to create new roles within XperienCentral using the role synchronization mechanism. What this means is that typically you will have already created roles in XperienCentral before assigning them to users in your backend container solution.

When matching roles assigned to the user authenticated on the web container against XperienCentral roles, they are matched against the value in the “External name” field of the XperienCentral roles.


Roles are synchornized with a user each time they log in to XperienCentral from a backend container. This means that if one or more roles is assigned to a user manually in the XperienCentral Authorization panel, the next time that user logs in to XperienCentral through the backend container, their assigned role(s) will be reverted to the ones that are assigned in the active directory.


Back to top