IAM mappings
8.3.1.1. Configuration of IAM mappings

Upload mapping templates to Airlock Gateway

Using and adapting the basic Loginapp mapping (Airlock-IAM-Loginapp)

  • After uploading the templates, adapt the basic template:
  • 1.
    Set the entry- and back-end paths:
    • Change the entry path to your needs. The default value /auth will work with most other Airlock IAM tutorials and is recommended to be used.
    • Change the back-end path to point to the corresponding Loginapp instance's context path (for example /prod-login).

    To find out the context path of a Loginapp, you may use the following CLI command:

    iam info -i auth | grep iam.loginapp.url.path
  • 2.
    Change to the Allow Rules tab of the mapping and activate the allow rules corresponding to all required Loginapp functionalities. For security reasons, only activate those allow-rules that are needed.
  • Example:

    128671609.png
  • 3.
    Connect the Airlock IAM mapping to a virtual host and a back-end group.
  • 4.
    Activate the configuration.

Using the API Enforcement feature to protect IAM's Loginapp REST API

  • The Airlock Gateway's API Enforcement feature validates each REST request against the OpenAPI specification (OAS) of an API.
  • IAM provides an OpenAPI Specification (OAS) file with each version: see 8.3.1.3. OpenAPI specification for details.

After preparing and uploading the OpenAPI specification to the Airlock Gateway (according to 8.3.1.3. OpenAPI specification), make sure to update the IAM OpenAPI specification when upgrading.

CSRF protection

  • CSRF token protection of Airlock Gateway:
  • The gateway CSRF token protection feature is activated on all Loginapp REST mappings when using the mapping template 7.6 and newer.
  • This may require small changes to custom single-page applications to handle possible CSRF blocks. If this is not possible, the CSRF protection on these mappings can be disabled to return to the previous behavior.