To make sure that unauthenticated HTTP requests to the Airlock 2FA self-service result in an HTTP redirect to the Loginapp (JSP) (and not the Loginapp REST UI) the Airlock Gateway (WAF) mapping(s) for IAM need to be adapted as follows.
Procedure-related prerequisites
- ●Access to the IAM mapping configuration on the affected Airlock Gateway (WAF) is required.
- ●One or more functioning IAM mappings exist.
Restrict access to protected self-services
- 1.Open the Airlock Gateway (WAF) configuration center and log in.
- 2.Open the affected IAM mapping and select the Access tab.
- 3.Add the following entry to the list of Access restrictions:
- 4.The Authentication flow must be set to Redirect.
- 5.Set the Denied access URL to /%ENTRYDIR%/check-login.
This may require selecting the Custom radio button. - 6.Activate the configuration.
- The Airlock Gateway (WAF) now ensures that unauthenticated requests to the protected self-service part of the IAM are redirected to the Loginapp (JSP).
Property | Value |
HTTP Method | .* |
Path | ^%ENTRYDIR%/ui/app/protected/.* |
Restricted to Roles | authenticated |
Exchange the role authenticated with whatever role(s) relevant to your setup. Remember that access to Airlock 2FA self-services are granted with the specified role(s). The required role(s) should imply strong user authentication.
Verify the configuration
To verify the access restriction configuration, do the following:
- 1.Make sure your browser does not have an authenticated session. Terminate existing session using the logout URL https://iam.ext.virtinc.com/auth/logout.
- 2.Open the URL https://iam.ext.virtinc.com/auth/ui/app/protected/tokens/airlock-2fa/devices in the browser.
- 3.The browser should now be redirected to the Loginapp (JSP)'s login page.