Use Case: Regular end-users as realm administrators

This use case applies to an organization where employees with regular end-user accounts shall be enabled to access the Adminapp as realm administrators.

The solution presented here has the following characteristics:

  • The solution allows a regular end-user to obtain an SSO ticket that contains both roles and the realm value for the Adminapp.
  • The Adminapp authenticates the administrator with the SSO ticket and limit access using roles and realm value from the SSO ticket.
  • For an end-user to be authorized to obtain the SSO ticket, the user must have at least the useradmin role and may have the tokenadmin role.

Configuration of the target application

Prerequisites

  • The attribute to store the realm value for both end-users and administrators is named realm.

Instruction

  1. Go to:
    Loginapp >> Applications and Authentication
  2. Create a new Target Application and add it to the Applications list.
  3. Configure the target application as required: Configure or choose an authentication flow, and create an application ID (used in UI settings below).
  4. Configure an Application Selector such that the URL of the Adminapp matches the selector. This ensures that the target application is selected when trying to access the Adminapp.
  5. To the Identity Propagation list, add a Generic ID Propagator plugin and configure it as follows:
    • Use a Ticket String Provider plugin with a JWT Ticket Encoder plugin in order to create a JWT.
    • Set Username Ticket Key as username.
    • Issuer as appropriate, e.g. Airlock IAM.
    • Set Valid Not Before Skew to 5.
    • Set claims stored as an array with two values: roles and realm. The roles are taken from the end-user's roles (using @roles as value reference) and the realm from the context data attribute bearing the realm.
    • Create and configure a JWT Ticket Signer. Use an HMAC algorithm.
  7. As Ticket Adder use the SPA Forward Location Parameter Adder. It will send the JWT ticket to the Loginapp UI so it can be sent to the Adminapp.
  8. Go to:
    Loginapp >> UI Settings
  9. Add an Authentication UI referring to the above target application by selecting the corresponding application ID.
  10. Add a Target URI Resolver plugin and define the default URL of the Adminapp, e.g., https://myhost.com/auth-admin/.
  11. The Target Application is now configured.

Configuration of the Adminapp

Prerequisite

  • none

Instruction

  1. Go to:
    Adminapp >> Administrators >> SSO Ticket Authentication
  2. Configure Query Parameter Name to match the parameter name of the Ticket Added configured in the Loginapp (see above). The default value is sso.
  3. Configure a JWT Ticket Decoder such that it can decode JWT tickets issued by the Loginapp.
  4. Configure Username Key and Roles Key such that it matches the keys when issuing the JWT in the Loginapp.
  5. Set Roles Blocklist as appropriate (e.g. to disallow the superadmin role if required).
  6. To the Ticket Processors list add a Context Data Import Ticket Processor to import the realm attribute.