SSO ticket authentication in the Loginapp REST API

SSO tickets can be used to authenticate users in the Loginapp REST API.

Consider the security recommendations in Single sign-on (SSO) ticket authentication.

SSO Ticket Authentication Step

The SSO Ticket Authentication Step plugin is used to extract an SSO ticket from the request, validate it, identify the user, and issue tags in the authentication session.

The most important configuration settings are:

Table: Most important configuration properties (excerpt)
Property	Description
Ticket Extractors	Defines how the SSO ticket is extracted from the request. The ticket can be in the HTTP header, an HTTP cookie, or sent to IAM by the Loginapp REST UI.
Ticket Decoder	The decoder plugin decodes the ticket string and verifies it. Typically, a JWT Ticket Decoder plugin is used. Make sure to use and verify digital signatures and optionally encryption in production environments.
Ticket Tag Extractors	Tags may be stored in the authentication flow session based on elements in the ticket. Note that these tags are granted in addition to the ones specified in property Tags On Success.

Simple authentication flow

To configure an authentication flow that authenticates users with SSO tickets, do the following:

Go to:
Loginapp >> Authentication Flows >> Applications >> Target Application (create a new one if required)
In the target application's Authentication Flow, add an SSO Ticket Authentication Step as the first step.
Configure the SSO Ticket Authentication Step as required.
Optionally add other authentication steps after the SSO Ticket Authentication Step (e.g. 2nd factor, terms of services, or alike).
Users can now be authenticated by sending an SSO ticket.

The following example HTTP request to access the application with id sso-token-test bears an SSO ticket in the HTTP header X-Logon-Token. It works with the SSO Header Ticket Extractor plugin and the JWT Ticket Decoder plugin (JWT ticket is truncated).

POST https://www.airlock.com/auth-login/rest/public/authentication/applications/sso-ticket-test/access
 
X-Logon-Token: eyJhbGciOiJI…

Make sure the HTTP header bearing the SSO token, e.g. X-Logon-Token, is in the Allow List of your Airlock Gateway.

The required HTTP header has to be added on the corresponding mapping(s) under:
tab Request Actions >> Allow List >> Additional allowed headers.

Combined authentication flow

A typical application of the SSO Ticket Authentication Step is to accept SSO tickets as an alternative to interactive authentication. In other words, the SSO ticket is only used if it is present in the request.

To do so, configure the following flow:

Go to:
Loginapp >> Authentication Flows >> Applications >> Target Application (create a new one if required)
In the target application's Authentication Flow, add a Selection Step as the first step.
In the list of Available Options, add a Selection Option with the following settings.

-In the list of steps, configure the SSO Ticket Authentication Step (see simple flow above for details).
-As Condition, configure the Request Has SSO Ticket.

As Fallback Flow (in the Selection Step), configure the flow to be used if no SSO ticket is available in the request. This could be, for example, a Username Password Authentication Step.
Users can now be authenticated by either presenting a valid SSO ticket or passing the alternative flow steps (e.g. enter username and password).