Remedy Single Sign-On provides preauthentication mechanism to allow end users to access applications if they have already been authenticated by another authentication provider.
To be able to use the preauthentication method, the following preconditions must be met:
- A third-party authentication provider must issue a JSON Web Token (JWT) as a result of authentication
- The JWT which contains the user principals must be signed.
To use preauthentication, as the Remedy SSO administrator, you must first configure an appropriate realm for the preauthentication type. You must then specify the JWT attributes and the certificate that will be used to validate the authentication server signature under the user principals.
The following table provides the preauthentication login flow:
An end user passes authentication against a third-party authentication server, and gets the JWT representing the authenticated person and signed by the authentication server.
The Remedy SSO agent deployed on the application side forwards the unauthenticated request to the Remedy SSO server and passes the JWT value in the
The Remedy SSO server verifies that the JWT has been issued by the trusted server and is valid, and then extracts the user name by using the configured JWT attribute.
Remedy SSO proceeds with the standard authentication flow. It authenticates the user, creates the session, sets the authentication cookie, and redirects the request to the original application.