Recommended use cases – config contexts
9.2.3.1. Recommended use cases for configuration contexts

The following use-case are good examples of what configuration contexts were designed for.

Common Properties of Recommended Use Cases

  • Configuration context can be extracted from every HTTP request
  • Configuration context extraction works regardless of an HTTP request's IAM URI (e.g. login page, check-login URL, OAuth end-point, or step-up authentication). Exception: Use-Case marked with *.
  • Very similar configuration for each configuration context
Use-Case
Description / Example
Recommendations / Remarks
RU1:
Internal/External Access
Employees access the same protected applications/services internally ("internal access") and from the internet ("external access").
Internal access requires single factor authentication but external access requires strong authentication.
  • Determine configuration context based on Client IP range, Airlock Gateway (WAF) Virtual Host or Gateway (WAF) mapping.
  • Recommended if configuration for internal and external access is very close, i.e. most of the configuration is shared for both situations.
  • Not recommended if the set users with internal access and the set of users with external access are distinct.
Context Extractors for this use-case: "URL Context Extractor", "IP Address Context Extractor".
RU2:
Multiple Similar Tenants
IAM is used for multiple tenants that are very similar. Tenants e.g. only differ in the name of the user table (or directory tree).
  • Multi-tenant setups are typically implemented using multiple IAM instances. Using configuration contexts is a simpler alternative with limited tenant separation (common log files, same version, same operation hours, etc.). It may be the right choice if tenants are very similar in configuration.
  • Not recommended if using different UIs (Loginapp page layouts).
Context Extractors for this use-case: "URL Context Extractor"
RU3:
Client-Certificate (X.509) dependent Configuration
Users are authenticated using client certificates (X.509) and configuration is slightly different depending on the certificate.
Examples:
  • Based on the certificate issuer or the organization attribute of the subject, the user's profile is loaded from a different database table (or directory tree).
  • Users not accessing using a client certificate must use a 2nd factor and have other token self-services available as users accessing with a client certificate.
  • Easiest to understand, if client certificate authentication is the only way users are authenticated (this is for example guaranteed, if the Airlock Gateway (WAF) virtual host or mapping strictly requires a client certificate).
  • Works in combination with alternative authentication methods, but leads to more complex configuration.
  • Be careful when using publicly available IAM features (e.g. self-registration, logout page) accessible without a client certificate.
Context Extractors for this use-case: "Client Certificate Context Extractor"
RU4:
Special Settings for a single IAM URL*
A single IAM page requires slightly different settings than all others.
  • Only works, if the special settings only affect the one page or URL.
  • May be extended to a few pages.
Context Extractors for this use-case: "URL Context Extractor", "Http Parameter Context Extractor".
RU5:
Testing/Demoing
Try out or demonstrate different variants of a feature while keeping most of the configuration constant. Different features may be selected by URL, for example, and can be shown/tested without configuration change or just by changing the context.
  • Works best with configuration differences that have only a very limited scope.
Context Extractors for this use-case: "URL Context Extractor", "Static Context Extractor".
Combined Use-Cases
Use-cases may be combined using extractors that process multiple other context extractors.
Example: Evaluate both the domain (multiple tenants) and the client IP address (internal/external access) to determine the context.
Example: Evaluate first the domain to set and use a configuration context. If the domain does not determine the configuration context, evaluate the client IP address to determine a configuration context.
  • If concatenating configuration contexts: only feasible with very few different extractors as you may have to define a configuration value for all combinations.
  • See recommendations and remarks of the nested context extractor plugins.
Context Extractors for this use-case: "Combining Context Extractor", "Concatenating Context Extractor".