Use Case – Step-up with SSO ticket

The configuration for the SSO ticket use case is based on the use cases for weak-app and strong-app but it requires additional configuration.

  • The SSO ticket needs to be configured.
  • The strong authentication flow needs to be flexible to handle both authentication scenarios, with and without SSO ticket.
  1. Resource endpoint configuration (SSO ticket)
  2. Go to:
    Loginapp >> OAuth 2.0/OpenID Connect AS Settings >> Authorization Servers >> {{AS-Id}} >> Resource Endpoint
  3. Create and edit an OAuth 2.0 Resource (AS-centric) plugin with
    • Resource Name: A name that will be used in the URL to access the resource.
    • Resource Providers: Create and edit an OAuth 2.0 SSO Ticket Resource (AS-centric) plugin.
    • Optionally configure Resource Scopes to limit access
  4. The resource endpoint will return sso-tickets.
  1. login_hint configuration
  2. Go to:
    Loginapp >> OAuth 2.0/OpenID Connect AS Settings >> Authorization Servers >> {{AS-Id}} >> OAuth 2.0 Grants/OIDC Flows >> OIDC Authorization Code Flow
  3. In the section Flow Settings configure an OIDC SSO Ticket Login Hint Flow Settings plugin in the Login Hint parameter.
  1. SSO ticket processing in the authentication flow
  2. Go to:
    Loginapp >> Authentication Flows >> Applications >> {{Target Application}} >> Authentication Flow
  3. Replace the initial Username Password Authentication Step with a Selection
    • Selection Option 1: Configure a SSO Ticket Authentication Step with a Request has SSO Ticket condition
    • Selection Option 2: Configure the Username Password Authentication Step with a Logical NOT of Request has SSO Ticket condition
  4. This configuration determines the correct authentication method without user interaction.

Example use case

This use case continues after the successful authentication to strong-app in the previous use case.

  1. Obtain an SSO ticket
  2. Obtain an SSO ticket from the SSO ticket resource.

    3. Resource access Request for SSO ticket

    GET https://oidc.airlock.com/auth-login/rest/oauth2/authorization-servers/myAS/resources/sso-ticket
 Authorization: Bearer eyJraWQ...RNLJs9_3-Vw
  3. This resource will respond with the requested SSO ticket:

    4. Resource access Response with SSO ticket

    200 OK
 {
     "sso-ticket": "eyJ0eXAiOi..._exxL0k4Xnw"
 }
  1. Start authentication with SSO ticket
  2. The authorize call is started with login_hint, prompt and acr_values parameters:
    • prompt=login will force the authorization server to de-authenticate the user before continuing
    • login_hint will allow the authorization server to try and authenticate the user from the information provided
    • acr_values will instruct the authorization on the required quality of the authentication flow

    Resource access Request for SSO-ticket

    GET https://oidc.airlock.com/auth-login/oauth2/v3/myAS/authorize?response_type=code&
 redirect_uri=https://app.airlock.com/function&
 client_id=oidc-client&
 scope=openid&
 login_hint=eyJ0eXAiOi..._exxL0k4Xnw&
 prompt=login&
 acr_values=strong-acr&
 state=ee26b0dd4a...28a8ff
  3. As a results, the SSO ticket is accepted in the authentication flow and the first login screen for username and password is skipped.

    4. After this point, the authentication flow continues normally and after successful authentication, the authorization code flow will continue

    • The server will redirect the browser to the redirect_uri supplying code and state parameters.
    • The authenticated call to the token endpoint to obtain access, refresh, and ID token.