Step-up with SSO
13.3.2.4.3. Use Case – Step-up with SSO ticket

The configuration for the SSO ticket use case is based on the use cases for weak-app and strong-app but it requires additional configuration.

  • The SSO ticket needs to be configured.
  • The strong authentication flow needs to be flexible to handle both authentication scenarios, with and without SSO ticket.
  • Resource endpoint configuration (SSO ticket)
  • 1.
    Go to:
    Loginapp >> OAuth 2.0/OpenID Connect AS Settings >> Authorization Servers >> {{AS-Id}} >> Resource Endpoint
  • 2.
    Create and edit an OAuth 2.0 Resource (AS-centric) plugin with
    • Resource Name: A name that will be used in the URL to access the resource.
    • Resource Providers: Create and edit an OAuth 2.0 SSO Ticket Resource (AS-centric) plugin.
    • Optionally configure Resource Scopes to limit access
  • The resource endpoint will return sso-tickets.
  • login_hint configuration
  • 1.
    Go to:
    Loginapp >> OAuth 2.0/OpenID Connect AS Settings >> Authorization Servers >> {{AS-Id}} >> OAuth 2.0 Grants/OIDC Flows >> OIDC Authorization Code Flow
  • 2.
    In the section Flow Settings configure an OIDC SSO Ticket Login Hint Flow Settings plugin in the Login Hint parameter.
  • SSO ticket processing in the authentication flow
  • 1.
    Go to:
    Loginapp >> Authentication Flows >> Applications >> {{Target Application}} >> Authentication Flow
  • 2.
    Replace the initial Password Authentication Step with a Selection
    • Selection Option 1: Configure a SSO Ticket Authentication Step with a Request has SSO Ticket condition
    • Selection Option 2: Configure the Password Authentication Step with a Logical NOT of Request has SSO Ticket condition
  • This configuration determines the correct authentication method without user interaction.

Example use case

This use case continues after the successful authentication to strong-app in the previous use case.

  • Obtain an SSO ticket
  • 1.
    Obtain an SSO ticket from the SSO ticket resource.
  • Resource access Request for SSO ticket

    GET https://oidc.airlock.com/auth-login/rest/oauth2/authorization-servers/myAS/resources/sso-ticket
     Authorization: Bearer eyJraWQ...RNLJs9_3-Vw
  • 2.
    This resource will respond with the requested SSO ticket:
  • Resource access Response with SSO ticket

    200 OK
     {
         "sso-ticket": "eyJ0eXAiOi..._exxL0k4Xnw"
     }
  • Start authentication with SSO ticket
  • 1.
    The authorize call is started with login_hint, prompt and acr_values parameters:
    • prompt=login will force the authorization server to de-authenticate the user before continuing
    • login_hint will allow the authorization server to try and authenticate the user from the information provided
    • acr_values will instruct the authorization on the required quality of the authentication flow

    Resource access Request for SSO-ticket

    GET https://oidc.airlock.com/auth-login/oauth2/v3/myAS/authorize?response_type=code&
     redirect_uri=https://app.airlock.com/function&
     client_id=oidc-client&
     scope=openid&
     login_hint=eyJ0eXAiOi..._exxL0k4Xnw&
     prompt=login&
     acr_values=strong-acr&
     state=ee26b0dd4a...28a8ff
  • As a results the SSO ticket is accepted in the authentication flow and the first login screen for username and password is skipped.
  • After this point the authentication flow continues normally and after successful authentication the authorization code flow will continue

    • The server will redirect the browser to the redirect_uri supplying code and state parameters.
    • The authenticated call to the token endpoint to obtain access, refresh, and ID token.