5.3.2. Identity propagation

Identity propagation transports authenticated identities to protected applications. Overall security greatly depends on the security of identity propagation (especially in cross-domain SSO scenarios).

Protect against internal threats.

  • Unprotected "identity tickets" (e.g. username cookies or headers) allow any entity being able to directly communicate with the target application to impersonate any user.
  • Sign and/or encrypt "identity tickets" and verify the authenticity in the target application (e.g. in "JWT Ticket Encoder")

Favor internal over external identity propagation.

  • Internal identity propagation: identity information does not leave the trusted zone and is transported via the Airlock Gateway (WAF) session store (HTTP cookies, headers, Basic Authorization, Kerberos, ...)
  • External identity propagation: identity information is transported via the browser. This type is only required for cross-domain SSO (single sign-on) and should not be used in other cases.

Use "IAM SSO Tickets" with care.

  • IAM SSO (single sign-on) tickets provide an easy way to exchange identity information between any two IAM instances (even across multiple domains).
  • IAM SSO tickets must be cryptographically protected (e.g. using "JWTTicket Encoder") with good key material.
  • IAM SSO tickets are transported via the browser (external identity propagation).