Step 3 - Configure REST authentication flow for ticket extraction

To use the ticket issued by the Loginapp (JSP) in the Loginapp REST UI for the Airlock 2FA self-services, a REST authentication flow needs to be configured:

  • it extracts the ticket
  • it verifies the JWT signature
  • it authenticates the flow session with the username and the roles from the ticket.

Procedure-related prerequisites

  • You need to be logged in to the Airlock IAM Adminapp and be able to access the Config Editor.
  • An identity propagation mechanism is configured in the Loginap REST API and it is used by the Loginapp REST API's API Access Control settings to authenticate requests. This is typically a propagator plugin of type REST Identity Propagation. An example setup can be found in the Demo Configuration template.

Add an authentication flow to extract the ticket

  1. Go to:
    Loginapp >> REST API Configuration >> Authentication API Setting
  2. Add a new Target Application plugin to the Applications list. Use the following property values:
  3. Property

    Value

    Identifier

    Protected SPA Application

    Application ID

    New Application ID plugin with ID protected-spa.

    Application Selector

    New Regex Application Selector plugin with pattern ^/auth/ui/app/protected/.*$

    Authentication Flow

    New Authentication Flow plugin. Detail configuration see below.

    Identity Propagation

    Add the REST Identity Propagation plugin that is used by authentication flows to authenticated REST requests (see prerequisites).

  4. To the authentication flow added in the previous step, add as the only flow step a plugin of type SSO Ticket Authentication Step.
  5. Configure the SSO Ticket Authentication Step as follows:
  6. Property

    Value

    Ticket Extractors

    Plugin of type SSO Cookie Ticket Extractor extracting cookies with the name JSP_TO_SPA_TICKET.

    Ticket Decoder

    Plugin of type JWT Ticket Decoder with the following settings:

    Tags on Success

    Add a tag that expresses the successful verification of the SSO ticket, i.e., the authentication level provided by the Loginapp (JSP). For example: A tag with Name AIRLOCK2FA_VERIFIED.

    Skip Condition Tags

    Configure the tag used in the Tag on Success property, so the flow step can be skipped once processed.

  7. An Authentication & Authorization UI needs to be configured for the authentication flow added before. It makes sure that the Loginapp REST UI triggers the authentication flow if the authorization to use the Airlock 2FA self-service is missing.
    To do so, in Loginapp REST UI >> Authentication UIs, add a plugin of type Authentication & Authorization UI and within it refer to the Target Application ID protected-spa and use a Target URI Resolver that allows redirection to the protected Self-Service URI (i.e. /auth/ui/app/protected/tokens/airlock-2fa/devices).
  8. Activate the configuration add a
  9. The authentication flow is now configured.

Verify the configuration

To verify the configuration, you may do the following:

  • Make sure your browser does not have an authenticated session. Terminate existing session using the logout URL https://##External_FQDN_IAM##/auth/logout.
  • Open the URL https://##External_FQDN_IAM##/auth/ui/app/protected/tokens/airlock-2fa/devices
  • You should be prompted for login and - after successful authentication - the Airlock 2FA device list should be displayed.

Additionally, the Loginapp log files may be used for verification and troubleshooting. The following log statements are relevant:

  • Selection of target application in Loginapp REST API and start of authentication flow:
  • Selecting application "protected-spa" matching location "/auth/ui/app/protected/tokens/airlock-2fa/devices?lang=de"

    Application Access for ID 'protected-spa': Preparing first flow

  • Success of authentication flow:
  • uid:jdoe - User 'jdoe' is successfully authenticated by 'SSO_TICKET' and is authorized to access application 'protected-spa'.

    Flow succeeded, user is authorized to access application "protected-spa"

  • Redirection to Airlock 2FA self-service URL in the Loginapp REST UI:
  • Redirecting user to follow page "https://##External_FQDN_IAM##/auth/ui/app/protected/tokens/airlock-2fa/devices?lang=en"