Configuring Airlock IAM
This basic example shows how to configure the authentication of an administrator and provide the static role airlock-administrator in the required JWT to Airlock Gateway using the Airlock IAM Config Editor. Note that in production environments, role information is typically retrieved from a centralized user directory and mapped to the appropriate Airlock Gateway role.
Configuring the target application
- Go to:
Loginapp >> Applications and Authentication >> Applications - In the Basic Settings section, Applications property, create a Target Application plugin and edit it as follows:
- In the Application ID property, create an Application ID plugin and remember its Display Name for later use in the authentication UI configuration.
- In the Authentication Flow property, select an authentication flow that meets the requirements of your organization's system setup.
- Go back to the Target Application plugin.
- In the Application Selector property, create a Regex Application Selector plugin with
https://gw.example.com/airlock/alec_security_checkas URI Pattern. - The Target Application has been configured.
Proceed with configuring identity propagation to enable secure user context forwarding.
Configuring identity propagation
- Go back to:
Loginapp >> Applications and Authentication >> Applications - In the Applications property, acceess the previously created Target Application plugin.
- In the Identity Propagation property, create a Generic ID Propagator plugin and edit it as follows:
- In the Ticket String Provider property, create a Ticket String Provider plugin and edit it as follows:
- In the Value Providers property, create a User Identity Map plugin.
- In the Value Providers property, create a Roles Provider plugin and edit it as follows:
- In the Role Providers property, create a Static Roles plugin with the role
airlock-administratoror any other Airlock Gateway administrative role.
- In the Role Providers property, create a Static Roles plugin with the role
- Go back to the Ticket string Provider plugin.
- In the Key Value Pairs property, create a Ticket Key Value plugin and edit it as follows:
- In the Ticket Key property, enter
usernameinto the text field. - In the Value Selector property, enter
user-idinto the text field.
- In the Ticket Key property, enter
- Go back to the Ticket string Provider plugin.
- In the Key Value Pairs property, create a Ticket Key Value plugin and edit it as follows:
- In the Ticket Key property, enter
rolesinto the text field. - In the Value Selector property, enter
rolesinto the text field.
- In the Ticket Key property, enter
- Go back to the Ticket String Provider plugin.
- In the Ticket Encoder property, create a JWT Ticket Encoder plugin and edit it as follows:
- In the Claim Settings section, perform the following steps:
- In the Username Ticket Key property, select username from the drop-down menu.
- In the Issuer property, enter
Airlock IAMinto the text field. - In the Claims Stored As Array property, create a new row and enter
rolesinto the text field.
- In the Security Settings section, Signer property, create a JWT Ticket HMAC Settings plugin and edit it as follows:
- In the HMAC Algorithm property, select HS512 – DEFAULT from the drop-down menu.
- In the HMAC Key property, paste the previously retrieved and prepared single-line JWT secret into the text field.
- Go back to the JWT Ticket Encoder plugin.
- In the Security Settings section, Encrypter property, create a JWT Ticket Direct AES Encryption Settings plugin and edit it as follows:
- In the Direct Encryption Method property, select A256CBC_HS512 from the drop-down menu.
- In the Encryption Key property, paste the previously retrieved and prepared single-line JWT secret into the text field.
- Go back to the Generic ID Propagator plugin.
- In the Ticket Adder property, create a Forward Location Parameter Adder with
alecAssertionas Ticket Parameter Name.
- In the Ticket Adder property, create a Forward Location Parameter Adder with
- Identity propagation has been configured, allowing IAM to pass authenticated identity data to the target application.
Proceed with configuring the UI to define the login flow and redirection behavior.
Configuring the authentication UI
- Go to:
Loginapp >> UI Settings Authentication UIs - In the Flow UIs property, create an Authentication & Authorization Ul plugin and edit it as follows:
- In the Basic Settings section, Target Application ID property, select the previously created Application ID plugin from the drop-down menu.
- In the On Flow Completion section, Target URI Resolver property, create a Target URI Resolver plugin and edit it as follows:
- In the Default Value property, enter the URL of your integration endpoint into the text field:
https://gw.example.com/airlock/alec_security_check
- In the Default Value property, enter the URL of your integration endpoint into the text field:
- Go back to the Authentication & Authorization UIs plugin.
- In the On Logout property, create a Redirect On Logout plugin and edit it as follows:
- In the Target property, create a Parameter-based Target URI plugin and edit it as follows:
- In the Query Parameter URI Extractor property, create a Query Parameter URI Value Extraction plugin with
Locationas Parameter Name.
- In the Query Parameter URI Extractor property, create a Query Parameter URI Value Extraction plugin with
- Activate your configuration.
- The UI configuration is complete, including target application linkage as well as the configuration of redirect URIs for both flow completion and logout scenarios.
Proceed with configuring Airlock Gateway to enable communication with IAM and to complete the setup.