Integrating Third-party Applications for User Authentication

Connect third-party applications to ensure the correct and comprehensive authentication context resulting from user's authentication.

Feature flag

Post Authentication applications must be explicitly enabled in your tenant using the custom_apps feature flag. To enable the feature, contact SecureAuth Sales Team.

Register Application in SecureAuth

Go to Extensions > Custom Apps.
Click + Custom Application.
Fill in the application data.
Field
Description
Type
Application type
Name
Name to identify this application
Application URL
Your third-party application URL that SecureAuth will redirect the user to during the
authentication process
Click Create.
Your application is now added to SecureAuth as a client in the system workspace. It generates a Client ID and Client Secret so that your application can authenticate with SecureAuth to perform various operations.
Example Third-party Application registration

Field	Description
Type	Application type
Name	Name to identify this application
Application URL	Your third-party application URL that SecureAuth will redirect the user to during the
authentication process

Associate Application to IDP

Go to Authentication > Providers > IDP of your choice > Extensions.
In the Post Authentication application field, select your application. Once selected, users will be redirected to the application after login.
Example Third-party Application association

Post-Authn Success Flow

Use case: After authentication, the Post-Authn Third-party Application prompts the user for additional information and that information is added to the user's authentication context.

Abstract Flow

Add Post-AuthN Success Flow

SecureAuth Authenticates the user
SecureAuth redirects to the Application URL specified in your Custom App configuration and adds a query string with login_id and login_state.
https://myapplication.com?login_id=REDACTED&login_state=REDACTED
1. The Third-party Application receives the redirect with the query string.
2. Authenticate to SecureAuth using client_secret_basic method with the generated credentials from registering the Third-party Application (Client ID, Client Secret) POST Authn-client-secret-basic.
3. Retrieve the user's current session GET post-authn-session.
4. Retrieve additional information from Third-Party datastore.
5. Display options to user.
6. User selects an option and clicks Submit.
7. Construct the Authn Complete JSON and put the user selected values into the authentication_context
```
{
  "authentication_context":{     # User's authentication context
    "organizationId":"6502",     # Additional attributes
    "organizationName":"Acme Inc.",
    "permissions":[
      "acme:ViewDashboard",
      "acme:CreateOrder",
      "acme:ViewOrder"
    ]
  },
  "id":"REDACTED",            # Required login_id
  "login_state":"REDACTED"    # Required login_state
}                           
```
8. Send post-auth Complete with the authentication_context POST post-authn-complete.
9. Receive SecureAuth response containing redirect.
```
{
  "redirect_to":"https://my-tenant.us.authz.cloudentity.io/my-tenant/my-workspace/oauth2/authorize?..."
}                           
```
10. Execute the redirect_to contained in the SecureAuth response.
SecureAuth proceeds to the next step in the Authentication process.

Post-Authn Abort Flow

Use case: After authentication, the Post-Authn Third-party Application process failed.

SecureAuth authenticates the user.
SecureAuth redirects to the Application URL specified in your Custom App configuration and adds a query string with login_id and login_state: https://myapplication.com?login_id=qwerty&login_state=asdfg
1. The Third-party Application receives the redirect with the query string.
2. Authenticate to SecureAuth using client_secret_basic method with the generated credentials from registering the Third-party Application (Client ID, Client Secret) POST Authn-client-secret-basic.
3. Retrieve the user's current session via GET post-authn-session.
4. Retrieve additional information from Third-Party datastore.
5. An error occurs or the user lacks permission, organization, etc.
6. Construct the abort JSON.
```
{
  "status":403,
  "error":"AccessDenied",
  "error_description":"User denied access",
  "id":"REDACTED",
  "login_state":"REDACTED"
}                        
```
7. Send post-auth Abort with the abort JSON via POST post-authn-abort.
8. Receive SecureAuth response containing redirect
```
{
  "redirect_to":"https://my-tenant.us.authz.cloudentity.io/my-tenant/my-workspace/oauth2/authorize?..."
}                        
```
9. If the SecureAuth error page is desired, execute the redirect_to contained in the SecureAuth response.
10. Else, display third-party error page. The Third-party Application does not return to SecureAuth in this case.
If redirected back to SecureAuth, SecureAuth displays a generic authentication failure message.

In this section: