Configuring Airlock IAM

This basic example shows how to configure the authentication of an administrator and provide Airlock Gateway administrative role information in the required JWT to Airlock Gateway using the Airlock IAM Config Editor. For the role information, the example offers two alternatives: you can assign a static Airlock Gateway role (e.g., airlock-administrator) for a simple setup, or you can propagate Airlock Gateway roles from Airlock IAM user roles (e.g., retrieved from a centralized user directory such as LDAP).

Configuring the target application

  1. Go to:
    Loginapp >> Applications and Authentication >> Applications
  2. In the Basic Settings section, Applications property, create a Target Application plugin and edit it as follows:
    1. In the Application ID property, create an Application ID plugin and remember its Display Name for later use in the authentication UI configuration.
    2. In the Authentication Flow property, select an authentication flow that meets the requirements of your organization's system setup.
  4. Go back to the Target Application plugin.
  5. In the Application Selector property, create a Regex Application Selector plugin with https://gw.example.com/airlock/alec_security_check as URI Pattern.
  6. The Target Application has been configured.

Proceed with configuring identity propagation to enable secure user context forwarding.

Configuring identity propagation

  1. Go back to:
    Loginapp >> Applications and Authentication >> Applications
  2. In the Applications property, acceess the previously created Target Application plugin.
  3. In the Identity Propagation property, create a Generic ID Propagator plugin and edit it as follows:

    • In the Ticket String Provider property, create a Ticket String Provider plugin and edit it as follows:

      • In the Value Providers property, create a User Identity Map plugin.
      • Still in the Value Providers property, create a Roles Provider plugin and edit it as follows, depending on your preferred role source:
        • Option A (static role)
          As a simple setup, you can assign one of the Airlock Gateway administrative roles:

        • In the Role Providers property, create a Static Roles plugin and edit it as follows:

          • In the Roles property, add an administrative role (e.g., airlock-administrator) to the list.

        • Option B (propagated user roles)
          As an alternative to a static role, you can propagate Airlock Gateway administrative roles that are available as Airlock IAM user roles (e.g., retrieved from LDAP):
          1. In the Role Providers property, create an All User Roles plugin.
          2. Go back to the Target Application plugin.
          3. In the Airlock Gateway Roles property, create an Airlock Gateway Roles plugin and edit it as follows:

            • In the Role Provider property, create a Transforming Role Provider plugin and edit it as follows:

              • In the Role Providers property, select the previously created All User Roles plugin from the drop-down menu.
              • In the Role Transformations property, create a Keep Roles plugin and edit it as follows:

                • In the Keep only roles matching property, enter a regular expression into the text field to select the Airlock Gateway administrative roles that are propagated, e.g.:

                •  
                  Terminal box
                  ^(?:airlock-administrator|airlock-app-admin|airlock-app-operator|airlock-auditor|airlock-cert-admin|airlock-config-applier|airlock-config-editor|airlock-readonly|airlock-readonly-restricted|airlock-supervisor)$
  5. Go back to the Ticket String Provider plugin.
  6. In the Key Value Pairs property, create a Ticket Key Value plugin and edit it as follows:
    1. In the Ticket Key property, enter username into the text field.
    2. In the Value Selector property, enter user-id into the text field.
  8. Go back to the Ticket String Provider plugin.
  9. In the Key Value Pairs property, create a Ticket Key Value plugin and edit it as follows:
    1. In the Ticket Key property, enter roles into the text field.
    2. In the Value Selector property, enter roles into the text field.
  11. Go back to the Ticket String Provider plugin.
  12. In the Ticket Encoder property, create a JWT Ticket Encoder plugin and edit it as follows:
    • In the Claim Settings section, perform the following steps:
      1. In the Username Ticket Key property, select username from the drop-down menu.
      2. In the Issuer property, enter Airlock IAM into the text field.
      3. In the Claims Stored As Array property, create a new row and enter roles into the text field.
    • In the Security Settings section, Signer property, create a JWT Ticket HMAC Settings plugin and edit it as follows:
      1. In the HMAC Algorithm property, select HS512 – DEFAULT from the drop-down menu.
      2. In the HMAC Key property, paste the previously retrieved and prepared single-line JWT secret into the text field.
  14. Go back to the JWT Ticket Encoder plugin.
  15. In the Security Settings section, Encrypter property, create a JWT Ticket Direct AES Encryption Settings plugin and edit it as follows:
    1. In the Direct Encryption Method property, select A256CBC_HS512 from the drop-down menu.
    2. In the Encryption Key property, paste the previously retrieved and prepared single-line JWT secret into the text field.
  17. Go back to the Generic ID Propagator plugin.
  18. In the Ticket Adder property, create a Forward Location Parameter Adder with alecAssertion as Ticket Parameter Name.
  19. Identity propagation has been configured, allowing IAM to pass authenticated identity data to the target application.

Proceed with configuring the UI to define the login flow and redirection behavior.

Configuring the authentication UI

  1. Go to:
    Loginapp >> UI Settings Authentication UIs
  2. In the Flow UIs property, create an Authentication & Authorization Ul plugin and edit it as follows:
    1. In the Basic Settings section, Target Application ID property, select the previously created Application ID plugin from the drop-down menu.
    2. In the On Flow Completion section, Target URI Resolver property, create a Target URI Resolver plugin and edit it as follows:
      • In the Default Value property, enter the URL of your integration endpoint into the text field:
        https://gw.example.com/airlock/alec_security_check
  4. Go back to the Authentication & Authorization UIs plugin.
  5. In the On Logout property, create a Redirect On Logout plugin and edit it as follows:
    • In the Target property, create a Parameter-based Target URI plugin and edit it as follows:
      • In the Query Parameter URI Extractor property, create a Query Parameter URI Value Extraction plugin with Location as Parameter Name.
  7. Activate your configuration.
  8. The UI configuration is complete, including target application linkage as well as the configuration of redirect URIs for both flow completion and logout scenarios.

Proceed with configuring Airlock Gateway to enable communication with IAM and to complete the setup.