When the representation starts, the authenticity of the representee is based on the authenticity of the representer.
The representee's identity is then forwarded to the representee's Loginapp using an SSO ticket. Since the forwarding of the ticket is implemented as an HTTP redirect that includes a round trip to the representer's browser (which is necessary in order to create an additional session in the Airlock Gateway), the ticket must be encrypted and/or signed. This is done by a Ticket Encoder plugin.
We strongly recommend using the JWT Ticket Encoder with adequate signing and encryption settings.
If the representee authentication fails, a representation denied page is shown explaining the reason.