User representation flow diagrams

This section describes how the involved systems interact for the most important flows.

Note that in the following flows the representer is always authorized to represent a user.

Also, note that the redirect locations set with the Location parameter must be accepted by the Loginapp's Security Settings. Assure that all URLs match the allowed forward location patterns in both the representer Loginapp and the representee Loginapp Security Settings.

Start representation (flow diagram)

The following flow diagram shows the different systems involved when starting representation.

  • Prerequisites:
  • The representer is logged in.
  • The representer has the right to represent the representee.

The flow diagram does not show all HTTP requests and responses but gives a conceptual view.

UserRepresentation_Scenario_StartRepresentation
  1. Representation normally starts from the representer's internal application, where a list of representable users is available as HTTP links. Each link points to the representer Loginapp (/airlock-iam-int) to the URI used for starting representation. The endpoint expects two parameters: the user to represent and the target application to which the representer should be redirected. The names of the parameters are configurable.
    Note that this step fails if the representer is already representing an end-user. In this case, the active representation session has to be ended first.
  2. When starting representation, Airlock IAM always terminates possible active representee sessions. This is achieved by sending a logout request to the representee IAM.
  3. The representer IAM creates an SSO ticket and sends it to the representation end-point of the representee IAM where it is validated and authenticates the authentee. The ticket also bears information about the representer, so this can be logged or propagated to the target application.
  4. If the SSO ticket is valid, the representee is logged in and redirected to the representee target application.

Examples URL to start representation

In the Loginapp UI:
https://admin.bank.ch/airlock-iam-int/ui/app/protected/representation/start?user=alice&target=/ebanking

Stop representation (flow diagram)

The following flow diagram shows the different systems' involvement when stopping representation.

  • Prerequisites:
  • The representer is logged in.
  • The representer has the right to represent the representee.

Note that the flow diagram does not show all HTTP requests and responses but gives a conceptual view.

UserRepresentation_Scenario_StopRepresentation
  1. To stop a representation session, the stop representation end-point on the representer Loginapp (/airlock-iam-int) is called. If the representer wants to get redirected back to the internal application, a corresponding Location can be added to the endpoint's URI. If the location parameter is omitted, the representer will see the logout page of the representee Loginapp.
  2. The representer Loginapp sends a logout request to the representee Loginapp together with the Location parameter (if present).
  3. After terminating the representee session, the representee Loginapp redirects the browser back to the representer application (or other location if specified by the Location parameter).

Examples URL to stop representation

In the Loginapp UI:
https://admin.bank.ch/airlock-iam-int/ui/app/protected/representation/stop?Location=/representer-application

Logout by representer - flow diagram

The following flow diagram shows how the different systems are involved when the representer logs out while representing a representee.

  • Prerequisites:
  • The representer is logged in.
  • The representer has the right to represent the representee.

Note that the flow diagram does not show all HTTP requests and responses but gives a conceptual view.

UserRepresentation_Scenario_LogoutByRepresenter
  1. The representer logs out of the representer Loginapp. While representing a representee, the authentee session is also terminated.
  2. The representer Loginapp checks if there is an open representee session. If so, it calls the logout endpoint on the representee Loginapp.
  3. The representee session is terminated and the browser is redirected back to the representer's loginapp logout disclaimer page.