We would like to take part of experiences from Knox usecases where identity is propagated through HTTP Headers from SiteMinder (Apache reverse proxy server with a Siteminder Web Agent) and consumed by the Knox. #
We have default http headers set by siteminder while redirecting to target. You can make use of them to validate at Knox in order to provide the access to users.
HTTP_SM_USER - Indicates the login name of the authenticated user. If a user does not provide a user name at log in, such as certificate-based authentication, then this variable is not set.
You can use this http header and validate at knox.
If you have any specific use case, please mention it.