The Zone Transfer authentication action compares the zone of the current service role
with a value taken from the Subject Attributes, when present. If the values are different, the action initiates a zone
transfer; otherwise nothing is done.
A zone transfer is a mechanism used in multi-region scenarios to ensure that authentication flows are executed in service
roles associated to a given zone - usually corresponding to the geographic region of the user.
Associating users with geographic regions usually involves infrastructure components, such as reverse proxies or load balancers.
When initiating a zone transfer, the authentication action sets an HTTP-only cookie containing the identifier of the intended
zone, as extracted from the Subject Attributes. In addition, it captures the state of the ongoing authentication flow and
redirects the user to a well-known endpoint in Curity. At this stage, a reverse proxy can use the cookie to direct the user
to a server running an appropriate service role, which restores the authentication state and resumes the flow.
An example of configuring this action in the admin UI is shown in the following figure:
Fig. 108 Configuring the zone transfer action in the admin UI
This authentication action is usually configured at a very early stage of the authentication flow, before any region-specific
data is required. It needs to be configured after the authenticator or authentication action that adds the Subject Attribute
identifying the zone.
The means of obtaining the Subject Attribute that identifies the intended zone is out of the scope of this authentication
action, but some possible options are: prompting the user, inferring from the username and accessing a data source that
doesn’t contain sensitive/personal information. Curity includes different components that can help achieving that goal.
The following configuration options are available:
If the value of the configured Subject Attribute is not one of the configured zone identifiers, the authentication action will fail.
In addition, the state captured in a zone transfer can only be restored by a service role in the target zone and in the
same session context. If that is not the case, the user won’t be able to resume the authentication flow.