One-shot vs. redirect flow

  • Airlock Gateway supports different types of authentication flows:
  • Redirect: the browser is redirected to access Airlock IAM for authentication.
  • One-Shot: the browser is not redirected for authentication.

Please refer to the Airlock Gateway documentation for further information.

Related information can also be found in Interaction models for authentication.

Topic

One-Shot

Redirect

Remarks

Unauthenticated POST requests

The browser directly receives a 401 response and knows that data is not processed.

The browser re-sends the data after acquiring the Kerberos ticket.

No data is lost.

The browser receives a redirect and thinks the data is processed (but is not).

POST data is lost.

POST requests contain data the client wants to send to the server.

The kind and amount of data differ depending on the web application.

For a ticketing web application that could be a comment on a ticket.

An unauthenticated POST request could occur if a user starts to write a comment in a ticketing system, goes for lunch, the session times out and after lunch, the user submits the comment.

Multi-Factor Authentication

Only client certificates can be used as 2nd factor.

All 2nd factors are possible.

Other Self-Services or intermediate pages

No interactive elements are possible.

Possibility to add terms of services, token migrations, or other steps before the user is finally redirected to the target application.