Configuring Security Domain Federation

In order to provide single sign-on access to resources across security domain boundaries, you can configure ActivID AS to support security domain federation.

For example, this allows OAuth 2.0 client applications declared in Administration Domain to access resources in the Managed Domain on behalf of administrator users from the Administration Domain.

Note: By default, domain federation is enabled for ActivID AS.

The authentication flow is as follows:

  1. The Administration Domain OAuth 2.0 client application prompts the Administration Domain user for their credentials.

  2. The application uses the OAuth 2.0 Resource Owner Grant flow on the Administration Domain to submit the credentials to ActivID AS server and receives an opaque string access token (see Exchanging Grants for Tokens).

    This access token is only valid for accessing user resources within the Administration Domain or for retrieving a JWT access token for another domain.

  3. The application uses the opaque string access token and OAuth 2.0 Authorization Code Grant flow on the Administration Domain to request a JWT access token for the Managed Domain audience.

    Copy

    Sample request to get the JWT access token

    POST https://[base-server-url]/{tenant}/authn/token HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    Authorization: Basic c2lzLXBvcnRhbDpwYXNzd29yZDAx
     
    grant_type=authorization_code&audience=MANAGED_DOMAIN1&code=<opaque string access token>
    Copy

    Sample response

    {
         "access_token":"eyJraWQiOiIxNTEyNDk0OTIwMTU2IiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJEYWNP   (...)    bjg9yWKuaNNfk8jZ74iXlyttFmg",
         "context":{"LEVEL_OF_ASSURANCE":"2"},
         "token_type":"Bearer",
         "expires_in":14400
    }
    Note:  
    • This access token is only valid for accessing user resources within the Managed Domain.
    • This token can be used as a Bearer token session when calling the ActivID SCIM API, or ALSI when calling the ActivID AS API.
    • This token CANNOT be used as a Bearer token when calling the ActivID OpenID Connect API in a Managed Domain
  4. The administrator, via the application, is then granted roles and privileges within that Managed Domain based on the JWT access token claims and Managed Domain authorizations and configuration.

Topics in this section: