Identity propagation configuration in the Loginapp REST API

This section explains how identity propagation is configured in the Loginapp REST API (used by the Loginapp REST UI).

Instruction

  1. Go to:
    Loginapp >> Authentication Flows >> <select application> >> Authentication Flow
  2. Add one or more identity propagator plugins to the list Identity Propagation. The identity propagators are processed in the defined order.
  3. Use property Username To Propagate Provider to define what piece of information to provide to the configured identity propagator(s) as username. Depending on the target application's needs this may also be a different user property or the value must be transformed in some way. Note that this property is not used for OAuth/OIDC target applications.
  4. Where possible, it is recommended to use the plugin Generic Identity Propagator.

Available Identity propagators

The Loginapp REST API supports the following identity propagator plugins (more may be added in newer versions - please check the available plugins in the Config Editor).

Identity propagator plugin

Purpose

Generic ID Propagator

This is the most flexible general-purpose identity propagator providing the largest number of identity attributes.

  • The Generic ID Propagator supports:
  • Numerous value providers making available attributes to be included in the ID.
  • Numerous ticket string providers define how identity attributes are represented in a ticket string.
  • Encoders (UTF-8, base-64).
  • Ticket adders define how to transport the ticket to the target application (including plugin SPA Forward Location Parameter Adder to make the Loginapp REST UI append an SSO ticket to the target URL).

See The Generic ID Propagator plugin for details.

Legacy ID Propagation Adapter

This adapter allows using a number of older identity propagator plugins from the JSP-Loginapp:

  • HTTP Basic Auth Identity Propagator
  • Kerberos Identity Propagator
  • NTLM Identity Propagator (deprecated)
  • SAML Assertion Cookie Identity Propagator
  • Cookie Ticket Identity Propagator*
  • Plain Cookie Identity Propagator*
  • Username Cookie Identity Propagator*
  • HTTP Header Identity Propagator*
  • HTTP Response Header Identity Propagator*

Instead of using the plugins marked with *, use the Generic ID Propagator.

The legacy adapter can also be used for custom identity propagators that have been written for the JSP-Loginapp (and implement the marker interface RestIdentityPropagator).

Loginapp Session Update ID Propagator

This identity propagator updates the session information of the JSP-Loginapp and may be used in hybrid setups where both Login REST UI and JSP-Loginapp are required.

Note that the JSP-Loginapp has been deprecated. This plugin is only supported as long as the JSP-Loginapp is.

OAuth 2.0/OIDC ID Propagator

This identity propagator is used to finish the OAuth/OIDC authorization code grant flow. It is only used if the authentication flow was started with an OAuth/OIDC authorization code grant.

Target URI ID Propagator

Allows to transform the target URI (the URI of the application the user originally tried to access before having been redirected to the login application) and send it to the REST client in an HTTP header.

This propagator is usually used in combination with other identity propagators (as it does not itself propagate the identity).

Every identity propagator can be configured with a condition. Each identity propagator in the list is only used if the condition is met.