As the feature currently stands, the HTTP auth source is used only for authorization and cannot be used for authentication.
You can specify a third party web server that CPPM will do an HTTP GET against to query additional information about the user. The web server must return flat JSON, no nested JSON and no XML supported. CPPM can take the key/value mappings from JSON and assign authorization attributes to be used in role mappings. The HTTP auth source supports basic authentication.
Note that :
1. Currently, we only support a single level (simple) JSON response. Nested JSON elements are not supported
2. The authorization request parameters need to be embedded into the URL. Currently, CPPM cannot issue a XML request (or any other messaging structures)
The HTTP authentication source is not exactly a general purpose handler for authorisation - it expects a very strict single-level JSON response.