SSO with Proxy Provider - Tyk Documentation

Introduction

The Proxy Provider (ProxyProvider) is a passthrough authentication method that forwards the user’s request to a custom or legacy HTTP endpoint and evaluates the response to determine whether authentication succeeded. No browser redirect to an external IdP is involved. This is useful for integrating with systems that do not support standard protocols such as OIDC, SAML, or LDAP — for example, a legacy authentication service that accepts Basic Auth and returns a JSON response. Before configuring your TIB profile, read Dashboard SSO or Portal SSO to understand the ActionType, ReturnURL, and IdentityHandlerConfig fields required for your use case.

How It Works

TIB proxies the incoming authentication request to the configured TargetHost and evaluates the response:

The user submits credentials to the TIB endpoint (typically via a form POST or HTTP Basic Auth header).
TIB proxies the request to TargetHost.
TIB evaluates the response against the configured success criteria.
If successful, TIB extracts the user identity and executes the configured action.

Evaluating Success

TIB evaluates the upstream response in order. At least one of OKCode, OKResponse, or OKRegex must be configured.

Hard failure — if the upstream returns HTTP 400 or above, authentication fails immediately.
OKCode — if set (non-zero), the response status code must exactly match this value.
OKResponse — if set, TIB base64-encodes the raw response body and compares it to this value. The configured value must therefore be a base64-encoded string.
OKRegex — if set, TIB applies this regular expression against the raw response body.

Multiple criteria act as gates — all configured criteria must pass for authentication to succeed.

Extracting User Identity

If authentication succeeds, TIB extracts the user identity to pass to the identity handler:

If ResponseIsJson is true, TIB parses the response body as JSON and extracts values using AccessTokenField and UsernameField as JSON field names.
If ExrtactUserNameFromBasicAuthHeader is true, TIB extracts the username from the incoming request’s Basic Auth header.
If no username can be extracted, TIB generates a random identifier and appends @soSession.com to form a placeholder email address.

Note that there is a known typo in the field name used to extract the username from a Basic Auth header: ExrtactUserNameFromBasicAuthHeader. To avoid breaking change, this remains in the code and must be set with typo in the TIB profile.

TIB Profile

The Proxy Provider configuration goes in the ProviderConfig block of the TIB profile. Set ProviderName to ProxyProvider and Type to passthrough.

{
  "ProviderName": "ProxyProvider",
  "Type": "passthrough",
  "ProviderConfig": {
    "TargetHost": "http://{upstream-host}/{path}",
    "OKCode": 200,
    "OKResponse": "",
    "OKRegex": "",
    "ResponseIsJson": false,
    "AccessTokenField": "",
    "UsernameField": "",
    "ExrtactUserNameFromBasicAuthHeader": false
  }
}

The ProviderConfig fields are:

Field	Description
`TargetHost`	URL of the upstream authentication endpoint.
`OKCode`	HTTP status code that indicates a successful response. Set to `0` to disable this check.
`OKResponse`	Base64-encoded string that the response body must exactly match. Leave empty to disable.
`OKRegex`	Regular expression that must match the raw response body. Leave empty to disable.
`ResponseIsJson`	Set to `true` if the upstream response body is JSON, enabling field extraction via `AccessTokenField` and `UsernameField`.
`AccessTokenField`	JSON field name in the upstream response containing an access token.
`UsernameField`	JSON field name in the upstream response containing the username.
`ExrtactUserNameFromBasicAuthHeader`	Set to `true` to extract the username from the incoming request’s Basic Auth header. Note the intentional typo in the field name — this matches the TIB codebase and must be spelled exactly as shown.

Since ProxyProvider is a passthrough flow, users submit credentials directly to TIB. Create a login page with a form that posts to the TIB authentication endpoint:

<form method="POST" action="http://{tib-host}/auth/{profile-id}/ProxyProvider">
  <input type="text" name="username" />
  <input type="password" name="password" />
  <button type="submit">Log in</button>
</form>

Alternatively, credentials can be passed via an HTTP Basic Auth header if ExrtactUserNameFromBasicAuthHeader is set to true.

Worked Example

This example proxies a Basic Auth request to an upstream service. TIB evaluates the HTTP 200 response code and extracts the username from the JSON response body.

Dashboard SSO
Portal SSO

In this example, Tyk Dashboard is running at http://dashboard.example.com on port 3000; replace the example values with your own.Tyk Dashboard configuration

{
  "sso_enable_user_lookup": true,
  "sso_permission_defaults": {
    "apis": "write",
    "keys": "write",
    "policies": "write"
  },
  "sso_default_group_id": "{tyk-user-group-id}"
}

With this configuration, registered users (with a Tyk Dashboard user account) get their own permissions; unregistered users fall back to the group specified in sso_default_group_id. See Dashboard SSO for full details.TIB profileThe TIB profile is created via the Tyk Identity Broker API or the Tyk Dashboard UI.

{
  "ID": "proxy-dashboard",
  "Name": "Proxy Provider Dashboard SSO",
  "OrgID": "{tyk-org-id}",
  "ActionType": "GenerateOrLoginUserProfile",
  "Type": "passthrough",
  "ProviderName": "ProxyProvider",
  "ReturnURL": "http://dashboard.example.com:3000/tap",
  "IdentityHandlerConfig": {
    "DashboardCredential": "{tib-service-user-api-key}"
  },
  "ProviderConfig": {
    "TargetHost": "http://{upstream-host}/{auth-path}",
    "OKCode": 200,
    "OKResponse": "",
    "OKRegex": "",
    "ResponseIsJson": true,
    "AccessTokenField": "access_token",
    "UsernameField": "username",
    "ExrtactUserNameFromBasicAuthHeader": false
  }
}

set DashboardCredential to the TIB service account’s Dashboard credentials

Login page form actionYour login page form should POST to:

http://dashboard.example.com:3000/auth/proxy-dashboard/ProxyProvider

See Dashboard SSO for details on session behavior, permissions, and user group mapping.

In this example, Tyk Developer Portal is running at http://portal.example.com on port 3001; replace the example values with your own.Tyk Developer Portal configurationEnable embedded TIB in the Portal configuration:

{
  "TIB": {
    "Enable": true
  }
}

TIB profileThe TIB profile is created via the Tyk Developer Portal UI under Settings > SSO Profiles.

{
  "ID": "proxy-portal",
  "Name": "Proxy Provider Portal SSO",
  "OrgID": "{tyk-org-id}",
  "ActionType": "GenerateOrLoginDeveloperProfile",
  "Type": "passthrough",
  "ProviderName": "ProxyProvider",
  "ReturnURL": "http://portal.example.com:3001/sso",
  "IdentityHandlerConfig": {
    "DashboardCredential": "{portal-api-secret}"
  },
  "ProviderConfig": {
    "TargetHost": "http://{upstream-host}/{auth-path}",
    "OKCode": 200,
    "OKResponse": "",
    "OKRegex": "",
    "ResponseIsJson": true,
    "AccessTokenField": "access_token",
    "UsernameField": "username",
    "ExrtactUserNameFromBasicAuthHeader": false
  }
}

set ActionType and OrgID based on the audience:
- Admin Portal (API owners): ActionType: "GenerateOrLoginUserProfile", OrgID: "0"
- Live Portal (API consumers): ActionType: "GenerateOrLoginDeveloperProfile", OrgID is not required
set DashboardCredential to the PortalAPISecret used to authenticate with the Portal’s management API

Login page form actionYour login page form should POST to:

http://portal.example.com:3001/auth/proxy-portal/ProxyProvider

For details on user group mapping and admin vs developer profiles, see Portal SSO.

​Introduction

​How It Works

​Evaluating Success

​Extracting User Identity

​TIB Profile

​Login Page

​Worked Example

Introduction

How It Works

Evaluating Success

Extracting User Identity

TIB Profile

Login Page

Worked Example