Single Sign-on
Single Sign-on (SSO) means that the user only has to log on once and is then automatically authenticated to the connected services. This means that the user does not have to authenticate himself each time and for each individual service with username and password.
Axon Ivy Engine supports Single Sign-on. However, the configuration depends on the given infrastructure. But the concept looks always the same. The user is browsing the Axon Ivy Engine over and intermediate service - a reverse proxy server. The reverse proxy server is responsible to authenticate the user and enhance the request with an identifier of the user. The Axon Ivy Engine will automatically log on the user when the user is known in the security system of the Axon Ivy Engine.
![digraph overview {
browser [label="Browser" pos = "0,3!" width=1];
reverseproxy [label="Reverse Proxy" pos = "3.5,3!" width=1.6];
engine [label="Axon Ivy\nEngine" pos="7,3!" width="1.5" color="#C7D426" fontcolor="black"];
browser -> reverseproxy [label="HTTPS" fontsize=10];
reverseproxy -> engine [label="HTTP Header\nX-Forwarded-User=john" fontsize=10];
}](../../../_images/graphviz-062752c2c9406c952922b3c2170ea366578c0ea4.png)
Therefore you need to configure your reverse proxy to set the identifier of the authenticated user as HTTP header. For Microsoft IIS as reverse proxy we provide an auto configuration script.
Next you need to enable SSO in ivy.yaml:
1# Enable SSO
2# [engineDir]/configuration/ivy.yaml
3# Attention: Ensure Axon Ivy Engine can only be accessed over your reverse proxy.
4SSO:
5 # enable SSO
6 Enabled: true
7
8 # name of HTTP user header which must be set by your reverse proxy
9 #UserHeader: X-Forwarded-User
Warning
If you enable SSO you must ensure that the Axon Ivy Engine cannot be accessed directly. All traffic must be routed over the reverse proxy. Otherwise, an attacker could simple send a valid user name as header in a HTTP request and immediately has access bypassing the authentication!
You can integrate Axon Ivy Engine with every Web Application Firewall of your choice. And if nothing fits your needs than you are able to implement your own SSO solution.