External Authentication

The External Authentication Interface (EAI) provides a mechanism for a resource server to handle the authentication process.

Conceptually, the resource server application will handle the authentication user experience and can return HTTP headers containing identity information which IAG will use to establish a credential.

Configuring External Authentication

To configure external authentication, IAG must be provided with a list of trigger URLs. These trigger URLs indicate to IAG which resources can return the external authentication HTTP headers which contain identity information.

For example, consider the following configuration:

version: 23.04

  - path: /auth_app
    connection_type: ssl
      - host:
        port: 9443

    url: /auth_app/login
    - name: originalUrl
      source: macro
      value: URL
      - /auth_app/login_complete
      - /auth_app/login_complete_v2

    - name: eai_unauth
        - "/auth_app/*"
      rule: anyauth
      action: permit
  1. Our external authentication application is defined as the resource server /auth_app.
  2. Unauthenticated clients will be redirected to /auth_app/login. This is the login page for the external authentication application. The originally requested URL will be included as a query string parameter named originalUrl.
  3. The trigger URLs /auth_app/login_complete and /auth_app/login_complete_v2 are registered. IAG will inspect responses for these resources for identity information headers.
  4. An authorization policy which will allow all clients (authenticated and unauthenticated) is applied to the external authentication application.

External Authentication Headers

Header NamePurposeExample
AM-EAI-USER-IDThe value of this header is interpreted as the username.[email protected]
AM-EAI-XATTRSThis header contains a comma separated list of other header names which should be interpreted as credential attributes. (Optional)firstName,lastName,accessGroup
AM-EAI-REDIR-URLThis header can be used to specify a URL that the client should be redirected to. (Optional)/app1/welcome

IAG will examine responses to requests sent to any of the configured trigger URLs for external authentication headers. If external authentication headers are found, IAG will create a new credential using the information contained in these headers.

At a minimum, the AM-EAI-USER-ID (username) header must be provided to trigger external authentication.

Consider the following example response to a configured trigger URL:

> POST /auth_app/login_complete
> ...

< HTTP/1.1 200 OK
< ...
< AM-EAI-USER-ID: [email protected]
< AM-EAI-XATTRS: firstName,lastName,accessGroup
< firstName: John
< lastName: Smith
< accessGroup: regularUsers
< AM-EAI-REDIR-URL: /app1/welcome
< ...

This response:

  1. Will trigger external authentication as the request URL matches a trigger URL and contains the AM-EAI-USER-ID HTTP header.
  2. A credential will be created with the username [email protected] from the AM-EAI-USER-ID HTTP header.
  3. The AM-EAI-XATTRS is present and indicates that the firstName, lastName and accessGroup HTTP headers should be interpreted as credential attributes.
  4. The AM-EAI-REDIR-URL indicates that the client should be redirected to /app1/welcome.

The resulting credential will look like:

Attribute NameAttribute Value(s)
AZN_CRED_AUTHZN_ID[email protected]
AZN_CRED_AUTH_EPOCH_TIME(time the credential was created)
AZN_CRED_BROWSER_INFO(client user-agent)
AZN_CRED_IP_FAMILY(client IP family)
AZN_CRED_PRINCIPAL_NAME[email protected]
AZN_CRED_QOP_INFO(client QOP info)
AZN_CRED_REGISTRY_ID[email protected]
AZN_CRED_USER_INFO[email protected]
tagvalue_login_user_name[email protected]
tagvalue_session_index(session index)
tagvalue_user_session_id(session identifier)

The response from the external authentication application will be intercepted by IAG and not returned to the client. The client will instead receive a 302 redirect to the URL /app1/welcome.

Using External Authentication and OIDC

External authentication can be used in conjunction with an OIDC identity.

If both OIDC and EAI are configured, by default IAG will redirect unauthenticated clients to start the OIDC login. To change this behavior, use the auth_challenge_redirect to specify a location where unauthenticated clients should be sent to start authentication.

## Example 1
## Unauthenticated clients will be redirected to start OIDC authentication.
    discovery_endpoint: https://www.test.com/mga/sps/oauth/oauth20/metadata/oidc_def
      - /auth_app/login_complete

## Example 2
## Unauthenticated clients will be redirected to `/auth_app/login`.
    url: /auth_app/login
    discovery_endpoint: https://www.test.com/mga/sps/oauth/oauth20/metadata/oidc_def
      - /auth_app/login_complete

When using auth_challenge_redirect to control the initial authentication challenge, clients can later be redirected to start the OIDC authentication process by sending them to the OIDC kick-off URL /pkmsoidc?iss=default.

Additionally, auth_challenge_redirect can include parameters describing the original request which was redirected. See the YAML reference for Default Authentication Challenge for further information.

Sign-out with External Authentication

The External Authentication Interface can also be used to sign-out an active session or all active sessions for a given user. The mechanism works in a similar way to the sign-on process, where the external authentication application responds to a requests on any of the matching trigger URLs with headers indicating the action to take place.

Sign-out for a Single User Session

An external authentication application can indicate to IAG that a session should be terminated by providing a terminate session header and indicating the identifier for the session to terminate.

Header NameFormatPurposeExample
AM-EAI-SERVER-TASKterminate session <session_id>The session corresponding to <session_id> will be destroyed.terminate session abc...:default



Note that the session ID is the value stored in the credential as tagvalue_user_session_id.

Sign-out for all Sessions Belonging to a User

An external authentication application can indicate to IAG that all sessions belonging to a particular user should be terminated by providing a terminate all_sessions header and indicating the username whose sessions should be terminated.

Header NameFormatPurposeExample
AM-EAI-SERVER-TASKterminate all_sessions <username>All sessions belonging to <username> will be destroyed.terminate all_sessions [email protected]