Identity propagation
17.2.2.8. Identity propagation configuration in the Loginapp REST API

This section explains how identity propagation is configured in the Loginapp REST API (used by the Loginapp REST UI).

Instruction

  • 1.
    Go to:
    Loginapp >> Authentication Flows >> <select application> >> Authentication Flow
  • 2.
    Add one or more identity propagator plugins to the list Identity Propagation. The identity propagators are processed in the defined order.
  • 3.
    Use property Username To Propagate Provider to define what piece of information to provide to the configured identity propagator(s) as username. Depending on the target application's needs this may also be a different user property or the value must be transformed in some way. Note that this property is not used for OAuth/OIDC target applications.
  • 4.
    Where possible, it is recommended to use the plugin Generic Identity Propagator.

Available Identity propagators

The Loginapp REST API supports the following identity propagator plugins (more may be added in newer versions - please check the available plugins in the Config Editor).

Identity propagator plugin
Purpose
Generic Identity Propagator
This is the most flexible general-purpose identity propagator providing the largest number of identity attributes.
  • The Generic Identity Propagator supports:
  • Numerous value providers making available attributes to be included in the ID.
  • Numerous ticket string providers defining how identity attributes are represented in a ticket string.
  • Encoders (UTF-8, base-64).
  • Ticket adders defining how to transport the ticket to the target application (including plugin SPA Forward Location Parameter Adder to make the Loginapp REST UI append an SSO ticket to the target URL).
Legacy Identity Propagation Adapter
This adapter allows using a number of older identity propagator plugins from the JSP-Loginapp:
  • HTTP Basic Auth Identity Propagator
  • Kerberos Identity Propagator
  • NTLM Identity Propagator (deprecated)
  • SAML Assertion Cookie Identity Propagator
  • Cookie Ticket Identity Propagator*
  • Plain Cookie Identity Propagator*
  • Username Cookie Identity Propagator*
  • HTTP Header Identity Propagator*
  • HTTP Response Header Identity Propagator*
Instead of using the plugins marked with *, use the Generic Identity Propagator.
The legacy adapter can also be used for custom identity propagators that have been written for the JSP-Loginapp (and implement the marker interface RestIdentityPropagator).
OAuth 2.0/OIDC Identity Propagator
This identity propagator is used to finish the OAuth/OIDC authorization code grant flow. It is only used if the authentication flow was started with an OAuth/OIDC authorization code grant.
Target URI Identity Propagator
Allows to transform the target URI (the URI of the application the user originally tried to access before having been redirected to the login application) and send it to the REST client in an HTTP header.
This propagator is usually used in combination with other identity propagators (as it does not itself propagate the identity).
Loginapp Session Update ID Propagator
This identity propagator updates the session information of the JSP-Loginapp and may be used in hybrid setups where both Login REST UI and JSP-Loginapp are required.
Note that the JSP-Loginapp has been deprecated. This plugin is only supported as long as the JSP-Loginapp is.

Every identity propagator can be configured with a condition. Each identity propagator in the list is only used if the condition is met.

Further information and links