The configuration for the SSO ticket use case is based on the use cases for weak-app and strong-app but it requires additional configuration.
- ●The SSO ticket needs to be configured.
- ●The strong authentication flow needs to be flexible to handle both authentication scenarios, with and without SSO ticket.
- Resource endpoint configuration (SSO ticket)
- 1.Go to:
Loginapp >> OAuth 2.0/OpenID Connect AS Settings >> Authorization Servers >> {{AS-Id}} >> Resource Endpoint - 2.Create and edit an OAuth 2.0 Resource (AS-centric) plugin with
- ●Resource Name: A name that will be used in the URL to access the resource.
- ●Resource Providers: Create and edit an OAuth 2.0 SSO Ticket Resource (AS-centric) plugin.
- ●Optionally configure Resource Scopes to limit access
- The resource endpoint will return sso-tickets.
- login_hint configuration
- 1.Go to:
Loginapp >> OAuth 2.0/OpenID Connect AS Settings >> Authorization Servers >> {{AS-Id}} >> OAuth 2.0 Grants/OIDC Flows >> OIDC Authorization Code Flow - 2.In the section Flow Settings configure an OIDC SSO Ticket Login Hint Flow Settings plugin in the Login Hint parameter.
- SSO ticket processing in the authentication flow
- 1.Go to:
Loginapp >> Authentication Flows >> Applications >> {{Target Application}} >> Authentication Flow - 2.Replace the initial Password Authentication Step with a Selection
- ●Selection Option 1: Configure a SSO Ticket Authentication Step with a Request has SSO Ticket condition
- ●Selection Option 2: Configure the Password Authentication Step with a Logical NOT of Request has SSO Ticket condition
- This configuration determines the correct authentication method without user interaction.
Example use case
This use case continues after the successful authentication to strong-app in the previous use case.
- Obtain an SSO ticket
- 1.Obtain an SSO ticket from the SSO ticket resource.
- 2.This resource will respond with the requested SSO ticket:
Resource access Request for SSO ticket
GET https://oidc.airlock.com/auth-login/rest/oauth2/authorization-servers/myAS/resources/sso-ticket Authorization: Bearer eyJraWQ...RNLJs9_3-Vw
Resource access Response with SSO ticket
200 OK { "sso-ticket": "eyJ0eXAiOi..._exxL0k4Xnw" }
- Start authentication with SSO ticket
- 1.The authorize call is started with login_hint, prompt and acr_values parameters:
- ●prompt=login will force the authorization server to de-authenticate the user before continuing
- ●login_hint will allow the authorization server to try and authenticate the user from the information provided
- ●acr_values will instruct the authorization on the required quality of the authentication flow
- As a results the SSO ticket is accepted in the authentication flow and the first login screen for username and password is skipped.
- ●The server will redirect the browser to the redirect_uri supplying code and state parameters.
- ●The authenticated call to the token endpoint to obtain access, refresh, and ID token.
Resource access Request for SSO-ticket
GET https://oidc.airlock.com/auth-login/oauth2/v3/myAS/authorize?response_type=code& redirect_uri=https://app.airlock.com/function& client_id=oidc-client& scope=openid& login_hint=eyJ0eXAiOi..._exxL0k4Xnw& prompt=login& acr_values=strong-acr& state=ee26b0dd4a...28a8ff
After this point the authentication flow continues normally and after successful authentication the authorization code flow will continue