Start representation (flow diagram)

The following flow diagram shows how the different systems are involved when starting representation.

• The representer is logged in.
• The representer has the right to represent the representee.

Note that the flow diagram does not show all HTTP requests and responses but gives a conceptual view. The HTTP requests depend on the type of login application (Loginapp REST UI or JSP-Loginapp).

1. Representation is normally started from the representer's internal application, where a list of representable users is available as HTTP links. Each link points to the representer Loginapp (/airlock-iam-int) to the URI used for starting representation. The endpoint expects two parameters: the user to represent and the target application to which the representer should be redirected. The names of the parameters are configurable.
   Note that this step fails if the representer is already representing an end-user. In this case, the active representation session has to be ended first.
2. When starting representation, Airlock IAM always terminates possible active representee sessions. This is achieved by sending a logout request to the representee IAM.
3. The representer IAM creates an SSO ticket and sends it to the representation end-point of the representee IAM where it is validated and authenticates the authentee. The ticket also bears information about the representer, so this can be logged or propagated to the target application.
4. If the SSO ticket is valid, the representee is logged in and redirected to the representee target application.

Examples URL to start representation

In the Loginapp REST UI:
https://admin.bank.ch/airlock-iam-int/ui/app/protected/representation/start?user=alice&target=/ebanking

In the JSP-Loginapp:
https://admin.bank.ch/airlock-iam-int/representation/start?user=alice&target=/ebanking