Use Case: Regular end-users as realm administrators

This use case applies to an organization where employees with regular end-user accounts shall be enabled to access the Adminapp as realm administrators.

  • The solution presented here has the following characteristics:
  • The solution will allow a regular end-user to obtain an SSO ticket that contains both roles and the realm value for the Adminapp.
  • The Adminapp will authenticate the administrator with the SSO ticket and limit the authorization using roles and realm value from the SSO ticket.
  • For an end-user to be authorized to obtain the SSO ticket, the user must have at least the useradmin role and may have the tokenadmin role.

Configuration of the target application

  • Prerequisites
  • The attribute to store the realm value for both end-users and administrators is named realm.
  1. Instruction
  2. Go to:
    MAIN SETTINGS >> Application Settings >> Target Applications
  3. Create a new Target Application using the Identity Propagator plugin.
  4. Set Default URL to the forward location of the Adminapp
  5. Set URL Pattern to match the URL of the Adminapp.
  6. Add useradmin as the required role.
  7. The Target Application is partly configured.
  1. Next: Create an SSO Ticket Identity Propagator
  2. Create and configure an SSO Ticket Identity Propagator.
  3. Set Ticket Lifetime to less than 5 seconds.
  4. Set Forward Location Parameter to Location.
  5. The SSO Ticket Identity Propagator is pre-configured.
  1. Next: Create a JWT Ticket Encoder
  2. Create and configure a JWT Ticket Encoder.
  3. Set Username Ticket Key as username.
  4. Issuer as appropriate, e.g. Airlock IAM.
  5. Set Valid Not Before Skew to 5.
  6. Set claims stored as an array with two values: roles and realm.
  7. Create and configure a JWT Ticket Signer. Use an HMAC algorithm.
  8. The SSO Ticket Identity Propagator and SSO Ticket Encoder are now configured.
  1. Next: Create a Mapping Ticket Service plugin
  2. Go to the Ticket Identity Propagator.
  3. Create a Mapping Ticket Service plugin.
  4. Create a Mapped Ticket Element plugin.
  5. Configure the Ticket Element plugin for the user roles with:
    • -Ticket Key as roles.
    • -Value Reference as @roles.
    • -Set mandatory as true.
  6. Create a second Mapped Ticket Element plugin.
  7. Configure the Ticket Element plugin for the realm attribute with:
    • Set Ticket Key as realm.
    • Set Value Reference as realm.
    • Set mandatory as true.
  8. The Mapping Ticket Service is now configured.
  1. The Target Application configuration is now completed.

Configuration of the Adminapp

  • Prerequisite
  • none
  1. Instruction
  2. Go to:
    Adminapp >> Administrators >> SSO Settings
  3. Configure Parameter Name to match the JWT Ticket Encoder.
  4. Set Accept Super Admins as appropriate.
  5. Configure Use Roles from Ticket as true
  6. The SSO Settings are pre-configured.
  1. Next: Create a JWT Ticket Decoder plugin
  2. Create and configure a JWT Ticket Decoder plugin.
  3. Set Username Ticket Key as username.
  4. The JWT Ticket Decoder is pre-configured.
  1. Next: Create a Signature Verifier Plugin
  2. Create and configure a Signature Verifier plugin.
  3. Configure Algorithm and Key to match the JWT Ticket Encoder algorithm and key.
  4. The JWT Ticket Decoder is configured.
  1. Next: Create a JWT Ticket Processor
  2. Go to SSO Config.
  3. Create a Context Data Import plugin for the Ticket Processor.
  4. Go to the Ticket Processor.
  5. Create and configure a Key Entry plugin:
    • -Set Ticket Key as realm.
    • -Set Context Data Key as realm.
  6. The JWT Ticket Processor is configured.
  1. The SSO Settings are now completed.