Configuration Center access via Airlock IAM

For security reasons, access to the Airlock Gateway Configuration Center requires valid authentication. To that end, Airlock IAM can be configured as the access management and identity provider offering its full range of authentication methods.

When using Airlock IAM for access management, the local Airlock Gateway users can be removed to improve security. However, for fallback and emergency situations — e.g., if Airlock IAM is experiencing downtime — a local user with the airlock-administrator role could be required. See also Emergency access and troubleshooting.

 
Info

The Airlock IAM instance and the Airlock Gateway instance should be time-synchronized — i.e., using NTP.

Configuration example

The following subpages walk through a basic example configuration to set up Configuration Center access via Airlock IAM – from retrieving and preparing the JWT secret, to configuring Airlock IAM to enable identity propagation, defining the login and redirection flow in the UI, and finally configuring Airlock Gateway.

In the example configuration, these sample hostnames are used:

  • gw.example.com – the hostname of the Airlock Gateway instance that provides management access to the Configuration Center
  • iam.example.com – the hostname of the Airlock IAM instance that handles identity and access management for users accessing the Configuration Center

The JWT is passed to the endpoint https://gw.example.com/airlock/alec_security_check as a URL parameter named jwt. For details on how the identity propagation JWT must be structured when passed as the jwt parameter, refer to the article JWT format.