Non-recommended use cases for configuration contexts

 
Notice

The following use cases are not recommended but are known to work in controlled setups. Keep in mind the following, when implementing them:

  • The configuration context extraction is not independent of the HTTP request's IAM URI (e.g. login page, check-login URL, OAuth end-point, or step-up authentication).
  • You must take great care, that IAM is only accessed through entry points (IAM URIs) that support the specific context extraction
  • You must ensure that accessing other entry points (IAM URIs) results in a meaningful default context and that IAM works (or fails) securely with that default context.
  • Improper usage of configuration context may result in unwanted or insecure IAM setups.
 
Functional limitation

The listed use cases do not work with the Loginapp REST API (and therefore also Loginapp UI) because it does not support context retention policies.

 
Info

Evolving IAM configuration

Before implementing one of the use cases (or something similar), also consider how the IAM configuration may possibly evolve in the future:

Use-Case

Description / Example

Recommendations / Remarks

NU1:

Parameter-based Context Extraction

The context is determined by inspecting an arbitrary HTTP parameter.

Examples:

  • Pass a context parameter as a query parameter with a GET request.
  • Look at an IAM parameter of an HTTP request (e.g. in HTML form POSTs.)
  •  
    Functional limitation

    Support for this use case in the Loginapp REST API (and therefore Loginapp UI) is very limited.

  • The context can only be determined in HTTP requests that bear the specific HTTP parameter.
  • Either make sure, the HTTP parameter to inspect is present in the first HTTP request hitting IAM and choose the right context retention policy.
  • Make sure, IAM works as expected (or fails in a safe way) even if the HTTP parameter is missing: users may bookmark pages or otherwise directly access URIs you do not expect.
  • May fail when the IAM configuration evolves (e.g OAuth or SAML to log in at a later point).

Typical Context Extractors for this use-case: Http Parameter Context Extractor.