Single Sign-on

Single Sign-on (SSO) means that the user only has to log in once and is automatically authenticated against the connected services. This means that the user does not have to authenticate himself each time and for each individual service with his username and password.

Axon Ivy Engine supports Single Sign-on. The configuration depends on the given infrastructure, but the concept looks always the same.

The user is browsing the Axon Ivy Engine via a intermediate service - a reverse proxy server. The reverse proxy server is responsible to authenticate the user and add a user identifier to the request. The Axon Ivy Engine will automatically log in the user when the user is known in the security system of the Axon Ivy Engine.


digraph overview { layout=neato; node [shape=box, height="0.8", width="2", color="#007095", style=filled, fixedsize="true", margin=0, fontname="Roboto,Helvetica Neue,Arial,sans-serif", fontcolor="white", fontsize=15 ]; /* nodes */ browser [label="Browser", pos="0.0,0.0!", height="0.8", width="1.5"]; reverseproxy [label="Reverse Proxy", pos="2.5,0.0!", height="0.8", width="1.5"]; engine [label="Axon Ivy\nEngine", pos="6.1,0.0!", height="0.8", width="1.5", color="#C7D426", fontcolor="black"]; /* labels */ browser -> reverseproxy; reverseproxy -> engine; /* label edges */ browser_reverseproxy [label="HTTPS\n \n ", pos="1.25,0.0!", height="0.8", width="2.0", shape=none, fillcolor=none, fontcolor="black", fontsize="11"]; reverseproxy_engine [label="HTTP Header\n \nX-Forwarded-User=john", pos="4.25,0.0!", height="0.8", width="2.0", shape=none, fillcolor=none, fontcolor="black", fontsize="11"]; }


Therefore you need to configure your reverse proxy to set the identifier of the authenticated user as a HTTP header. For Microsoft IIS we provide an auto configuration script.

Next you need to enable SSO in ivy.yaml:

1# Enable SSO
2# [engineDir]/configuration/ivy.yaml
3# Attention: Ensure Axon Ivy Engine can only be accessed over your reverse proxy.
4SSO:
5  # enable SSO
6  Enabled: true
7
8  # name of HTTP user header which must be set by your reverse proxy
9  #UserHeader: X-Forwarded-User

Warning

If you enable SSO you have to ensure that the Axon Ivy Engine cannot be accessed directly. All traffic hsd to be routed via the reverse proxy. Otherwise, an attacker could simply send a valid user name in the header of his faked HTTP request and immediately has access bypassing the authentication!

You can integrate Axon Ivy Engine with every Web Application Firewall of your choice. And if nothing fits your needs then you can implement your own SSO solution.