IAM as OAuth / OIDC client
13.5.1. Airlock IAM as client (OAuth 2.0/OIDC)

The settings for Airlock IAM as an OAuth 2.0 or OIDC client are located here:

  • Go to Loginapp >> SAML / OAuth 2.0 + OpenID Connect / Front Side Kerberos / One Shot.
  • Create an OAuth 2.0/OIDC Clients plugin in the OAuth 2.0/OIDC Clients settings.

This plugin allows Airlock IAM to connect to a foreign OAuth 2.0 authorization server or OpenID Connect provider.

Prerequisites

OAuth 2.0 clients must be registered manually at the remote authorization server. The remote authorization server issues a client id and a randomly generated client secret to the registering client. These properties must exactly match the entries in the Airlock IAM configuration.

Using remote usernames, roles, and context data items

Airlock IAM as a client should be able to use username, roles, and context data item provided by the remote authorization server. This is achieved by configuring resource mappings to map remote resources into the local user.

To determine the user identity of the foreign authorization server it is required to configure at least one resource mapping that defines the username.

In addition to the username any other resources available may be mapped at login:

  • User role resources will map their values into the authentee roles of the user logging in.
  • User context data resources will map their values into the authentee context data.

In order to avoid ambiguity and to ensure a valid username, exactly one Remote Username Resource must be configured.

In OpenID Connect it is possible to use an ID Token resource (claim) instead of requesting a remote resource to be mapped.

Multiple clients

It is possible to configure multiple clients. Each client can connect to a different remote authorization server. As a result, the user may choose which authorization server(s) should be used for authentication.

Each client can be configured whether it is displayed on the login page or not.