SSO tickets can be used to authenticate users in the Loginapp REST API.
Consider the security recommendations in Single sign-on (SSO) ticket authentication.
SSO tickets can be used to authenticate users in the Loginapp REST API.
Consider the security recommendations in Single sign-on (SSO) ticket authentication.
The SSO Ticket Authentication Step plugin is used to extract an SSO ticket from the request, validate it, identify the user, and issue tags in the authentication session.
The most important configuration settings are:
Property | Description |
---|---|
Ticket Extractors | Defines how the SSO ticket is extracted from the request. The ticket can be in the HTTP header, an HTTP cookie, or sent to IAM by the Loginapp UI. |
Ticket Decoder | The decoder plugin decodes the ticket string and verifies it. Typically, a JWT Ticket Decoder plugin is used. Make sure to use and verify digital signatures and optionally encryption in production environments. |
Accepted SSO Tickets Repository | Specifies where to store successfully accepted SSO tickets. The "used" tickets are stored in order to prevent replay attacks. See security note below. |
Ticket Tag Extractors | Tags may be stored in the authentication flow session based on elements in the ticket. Note that these tags are granted in addition to the ones specified in property Tags On Success. |
Security Implications of SSO Ticket Repository Choice
All successfully accepted SSO tickets are stored in order to prevent replay attacks.
There are two possibilities to store SSO tickets:
It is highly recommended to use the Persistent Accepted SSO Tickets Repository for production.
To configure an authentication flow that authenticates users with SSO tickets, do the following:
The following example HTTP request to access the application with id sso-token-test bears an SSO ticket in the HTTP header X-Logon-Token. It works with the SSO Header Ticket Extractor plugin and the JWT Ticket Decoder plugin (JWT ticket is truncated).
POST https://www.airlock.com/auth-login/rest/public/authentication/applications/sso-ticket-test/access X-Logon-Token: eyJhbGciOiJI…
Make sure the HTTP header bearing the SSO token, e.g. X-Logon-Token
, is in the Allow List of your Airlock Gateway.
The required HTTP header has to be added on the corresponding mapping(s) in tab Request Actions >> Allow List >> Additional allowed headers.
A typical application of the SSO Ticket Authentication Step is to accept SSO tickets as an alternative to interactive authentication. In other words, the SSO ticket is only used if it is present in the request.
To do so, configure the following flow: