Users as realm administrators
18.14.3.1. Use Case: Regular end-users as realm administrators

This use case applies to an organization where employees with regular end-user accounts shall be enabled to access the Adminapp as realm administrators.

  • The solution presented here has the following characteristics:
  • The solution will allow a regular end-user to obtain an SSO ticket that contains both roles and the realm value for the Adminapp.
  • The Adminapp will authenticate the administrator with the SSO ticket and limit the authorization using roles and realm value from the SSO ticket.
  • For an end-user to be authorized to obtain the SSO ticket, the user must have at least the useradmin role and may have the tokenadmin role.

Configuration of the target application

  • Prerequisites
  • The attribute to store the realm value for both end-users and administrators is named realm.
  • Instruction
  • 1.
    Go to:
    MAIN SETTINGS >> Application Settings >> Target Applications
  • 2.
    Create a new Target Application using the Identity Propagator plugin.
  • 3.
    Set Default URL to the forward location of the Adminapp
  • 4.
    Set URL Pattern to match the URL of the Adminapp.
  • 5.
    Add useradmin as the required role.
  • The Target Application is partly configured.
 
  • Next: Create an SSO Ticket Identity Propagator
  • 1.
    Create and configure an SSO Ticket Identity Propagator.
  • 2.
    Set Ticket Lifetime to less than 5 seconds.
  • 3.
    Set Forward Location Parameter to Location.
  • The SSO Ticket Identity Propagator is pre-configured.
 
  • Next: Create a JWT Ticket Encoder
  • 1.
    Create and configure a JWT Ticket Encoder.
  • 2.
    Set Username Ticket Key as username.
  • 3.
    Issuer as appropriate, e.g. Airlock IAM.
  • 4.
    Set Valid Not Before Skew to 5.
  • 5.
    Set claims stored as an array with two values: roles and realm.
  • 6.
    Create and configure a JWT Ticket Signer. Use an HMAC algorithm.
  • The SSO Ticket Identity Propagator and SSO Ticket Encoder are now configured.
 
  • Next: Create a Mapping Ticket Service plugin
  • 1.
    Go to the Ticket Identity Propagator.
  • 2.
    Create a Mapping Ticket Service plugin.
  • 3.
    Create a Mapped Ticket Element plugin.
  • 4.
    Configure the Ticket Element plugin for the user roles with:
    • -
      Ticket Key as roles.
    • -
      Value Reference as @roles.
    • -
      Set mandatory as true.
  • 5.
    Create a second Mapped Ticket Element plugin.
  • 6.
    Configure the Ticket Element plugin for the realm attribute with:
    • Set Ticket Key as realm.
    • Set Value Reference as realm.
    • Set mandatory as true.
  • The Mapping Ticket Service is now configured.
  • The Target Application configuration is now completed.

Configuration of the Adminapp

  • Prerequisite
  • none
  • Instruction
  • 1.
    Go to:
    Adminapp >> Administrators >> SSO Settings
  • 2.
    Configure Parameter Name to match the JWT Ticket Encoder.
  • 3.
    Set Accept Super Admins as appropriate.
  • 4.
    Configure Use Roles from Ticket as true
  • The SSO Settings are pre-configured.
 
  • Next: Create a JWT Ticket Decoder plugin
  • 1.
    Create and configure a JWT Ticket Decoder plugin.
  • 2.
    Set Username Ticket Key as username.
  • The JWT Ticket Decoder is pre-configured.
 
  • Next: Create a Signature Verifier Plugin
  • 1.
    Create and configure a Signature Verifier plugin.
  • 2.
    Configure Algorithm and Key to match the JWT Ticket Encoder algorithm and key.
  • The JWT Ticket Decoder is configured.
 
  • Next: Create a JWT Ticket Processor
  • 1.
    Go to SSO Config.
  • 2.
    Create a Context Data Import plugin for the Ticket Processor.
  • 3.
    Go to the Ticket Processor.
  • 4.
    Create and configure a Key Entry plugin:
    • -
      Set Ticket Key as realm.
    • -
      Set Context Data Key as realm.
  • The JWT Ticket Processor is configured.
  • The SSO Settings are now completed.