Identity propagation transports authenticated identities to protected applications. Overall security greatly depends on the security of identity propagation (especially in cross-domain SSO scenarios).
Protect against internal threats.
- Unprotected "identity tickets" (e.g. username cookies or headers) allow any entity being able to directly communicate with the target application to impersonate any user.
- Sign and/or encrypt "identity tickets" and verify the authenticity in the target application (e.g. in "JWT Ticket Encoder")
Favor internal over external identity propagation.
- Internal identity propagation: identity information does not leave the trusted zone and is transported via the Airlock Gateway session store (HTTP cookies, headers, Basic Authorization, Kerberos, ...)
- External identity propagation: identity information is transported via the browser. This type is only required for cross-domain SSO (single sign-on) and should not be used in other cases.
Use "IAM SSO Tickets" with care.
- IAM SSO (single sign-on) tickets provide an easy way to exchange identity information between any two IAM instances (even across multiple domains).
- IAM SSO tickets must be cryptographically protected (e.g. using "JWTTicket Encoder") with good key material.
- IAM SSO tickets are transported via the browser (external identity propagation).