Identity propagation in user representation

After the SSO ticket containing the representee's identity has been received by the representee's Loginapp, the identity is propagated to the representee application using the configured identity propagator. In addition to the representee's identity, the identity propagator also has the possibility to transport information expressing the fact that the user is currently represented. This is done by adding the representer's ID to the propagated identity information.

Representer ID

By default, the representer's ID is the login username. Typical representee applications will need to map the representer's ID to the corresponding user in the database, for example, to retrieve the representer's first and last name and to display the representer's full name in the user interface.

Alternatively, Airlock IAM can send a context data field of the represented to the represented application.

Representer ID propagation

Generally, the Loginapp forwards the representer ID to the configured identity propagator as a parameter REPRESENTER_ID but, depending on the ID propagator plugin, a different parameter name must be used.

Read the ID propagator's plugin documentation in the Config Editor to see how to propagate the represented ID.

Examples:

Identity propagator

Representer ID propagation

Generic Identity Propagation >> Ticket String Provider >> User Identity Map

The represented ID is available as attribute representer-user-id.

SSO Ticket Identity Propagator

The ticket contains an attribute with the name representerId.

SAML Assertion Cookie Identity Propagator

Register custom attribute as @info:REPRESENTER_ID.