- ●Configure the Airlock IAM OAuth 2 Client, i.e. an Oauth2 Target Application: see 17.7.2. OAuth 2 / OpenID Connect Configuration: Airlock IAM as Authorization Server
- ●One-Shot End-Point in IAM: (Loginapp >> Airlock One-Shot Authentication)
- ●Add a target application for the protected service and configure it as follows:
- ●Credential Extractor: use plugin Bearer Token HTTP Header Extractor (as Token Credential).
- ●Authenticator: use plugin OAuth 2 Access Token Authenticator with the Authorization Server Settings used in the above Oauth2 target application.
- ●Failure Responses: configure responses as desired - always use responses of type FINAL_RESPONSE.
- ●Identity Propagator: as required by back-end application.
- ●URL pattern: according to the back-end application.
- ●Airlock Credentials: Choose sensitive Airlock Gateway (WAF) credential timeouts.
- ●Airlock Gateway (WAF) Configuration
- ●Make sure the Gateway (WAF)'s IAM mapping has the allow rules for Oauth2 enabled
- ●Create a mapping for the protected service(s)
- ●As Denied access URL, use /<iam-mapping-entry-path>/login-oneshot
- ●From the Authentication flow drop-down, select One-Shot
- ●Enable bearer token session tracking in the Security Gate Expert Settings (on both the IAM mapping and the protected services mapping(s)):
Shared One-Shot Configuration
The one-shot settings can be used for multiple protected services. Choose the URL pattern property to match all services for which the same settings apply.
Session.Tracking.ExternalToken.Enable "TRUE"