Configuration
  • Configure the Airlock IAM OAuth 2 Client, i.e. an Oauth2 Target Application: see OAuth 2 / OpenID Connect Configuration: Airlock IAM as Authorization Server
  • One-Shot End-Point in IAM: (Loginapp >> Airlock One-Shot Authentication)
    • Add a target application for the protected service and configure it as follows:
    • Credential Extractor: use plugin Bearer Token HTTP Header Extractor (as Token Credential).
    • Authenticator:  use plugin OAuth 2 Access Token Authenticator with the Authorization Server Settings used in the above Oauth2 target application.
    • Failure Responses: configure responses as desired - always use responses of type FINAL_RESPONSE.
    • Identity Propagator: as required by back-end application.
    • URL pattern: according to the back-end application.
    • Airlock Credentials: Choose sensitive Airlock Gateway (WAF) credential timeouts.

      • Shared One-Shot Configuration

      The one-shot settings can be used for multiple protected services. Choose the URL pattern property to match all services for which the same settings apply.

  • Airlock Gateway (WAF) Configuration
    • Make sure the Gateway (WAF)'s IAM mapping has the allow rules for Oauth2 enabled
    • Create a mapping for the protected service(s)
    • As Denied access URL, use /<iam-mapping-entry-path>/login-oneshot
    • From the Authentication flow drop-down, select One-Shot
    • Enable bearer token session tracking in the Security Gate Expert Settings (on both the IAM mapping and the protected services mapping(s)):
      • Session.Tracking.ExternalToken.Enable                     "TRUE"