Single sign-on using URL-tickets

The SSO-Ticket-Feature let's you authenticate an IAM session by passing an "Access-Ticket" (e.g. JWT) in the URL.

It is supported by the Loginapp and the Adminapp.

We recommend to only use JWT (JSON Web Tokens) as encoding format. The IAM JWT plugins support various encryption and signature algorithms.

The SSO ticket feature is best used with asymmetric signature algorithms (e.g. RSA).

Example use-cases:

  • Simple cross-domain SSO: Authenticate user one IAM (Domain and access application in other Domain (protected by IAM).
  • Admin SSO from rich client: Helpdesk works with domain-specific rich client and accesses IAM user account details in Adminapp.
  • Send a link with an authentication ticket by email: Use this to pre-authenticate the user and use authentication step-up to verify the user's identity afterwards.