Identity propagation transports authenticated identities to protected applications. Overall security greatly depends on the security of identity propagation (especially in cross-domain SSO scenarios).
Protect against internal threats.
- ●Unprotected "identity tickets" (e.g. username cookies or headers) allow any entity being able to directly communicate with the target application to impersonate any user.
- ●Sign and/or encrypt "identity tickets" and verify the authenticity in the target application (e.g. in "JWT Ticket Encoder")
Favor internal over external identity propagation.
- ●Internal identity propagation: identity information does not leave the trusted zone and is transported via the Airlock Gateway (WAF) session store (HTTP cookies, headers, Basic Authorization, Kerberos, ...)
- ●External identity propagation: identity information is transported via the browser. This type is only required for cross-domain SSO (single sign-on) and should not be used in other cases.
Use "IAM SSO Tickets" with care.
- ●IAM SSO (single sign-on) tickets provide an easy way to exchange identity information between any two IAM instances (even across multiple domains).
- ●IAM SSO tickets must be cryptographically protected (e.g. using "JWTTicket Encoder") with good key material.
- ●IAM SSO tickets are transported via the browser (external identity propagation).