Zone Transfer

The Zone Transfer authentication action compares the zone of the current service role with a value taken from an attribute container (e.g. Subject Attributes), when present. If the values are different, the action initiates a zone transfer; otherwise nothing is done.

A zone transfer is a mechanism used in multi-region scenarios to ensure that authentication flows are executed in service roles associated to a given zone - usually corresponding to the geographic region of the user.

Associating users with geographic regions usually involves infrastructure components, such as reverse proxies or load balancers. When initiating a zone transfer, the authentication action sets an HTTP-only cookie containing the identifier of the intended zone, as extracted from the attributes. In addition, it captures the state of the ongoing authentication flow and redirects the user to a well-known endpoint in Curity. At this stage, a reverse proxy can use the cookie to direct the user to a server running an appropriate service role, which restores the authentication state and resumes the flow.

An example of configuring this action in the admin UI is shown in the following figure:


Fig. 120 Configuring the zone transfer action in the admin UI

This authentication action is usually configured at a very early stage of the authentication flow, before any region-specific data is required. It needs to be configured after the authenticator or authentication action that adds the attribute identifying the zone.

The means of obtaining the attribute that identifies the intended zone is out of the scope of this authentication action, but some possible options are: prompting the user, inferring from the username and accessing a data source that doesn’t contain sensitive/personal information. Curity includes different components that can help achieving that goal.


The following configuration options are available:

Configuration Mandatory Description
zones yes The set of zone identifiers to be considered. Must reference zones configured in the system.
attribute no Name of the attribute from which to extract the id of the intended zone. Defaults to “zone”.
attribute-source no The source for the above attribute (subject-attributes, context-attributes, or action-attributes). Default value is subject-attributes.
cookie no Name of the cookie that contains the zone identifier after a successful execution. Defaults to “zone”.


If the value of the configured attribute is not one of the configured zone identifiers, the authentication action will fail.

In addition, the state captured in a zone transfer can only be restored by a service role in the target zone and in the same session context. If that is not the case, the user won’t be able to resume the authentication flow.