Step 2 - Configure target app Step 2 - Configure the target application

To transport the identity and the roles of the authenticated user from the Loginapp (JSP) to the Loginapp REST UI, a target application with adequate identity propagation needs to be configured.

Procedure-related prerequisites

  • You need to be logged in to the Airlock IAM Adminapp and be able to access the Config Editor.

Add the target application

  • 1.
    Go to:
    MAIN SETTINGS >> Application Settings
    (or alternatively to Loginapp >> Application Settings)
  • 2.
    Add a new target application of type Target Application using Identity Propagator with the following properties:
  • Property
    Choose a unique identifier such as Self-services in SPA Loginapp.
    Default URL
    Application Entry URLs
    URL Pattern
    Required Roles
    Identity Propagator
    Add a plugin of type Cookie Ticket Identity Propagator.

    How to configure the plugin is described in detail below.

  • 3.
    Review the other target application settings and set them according to your environment and needs.
  • In this example, we require the role authenticated to access the self-service UI. It is therefore added in property Required Roles.

  • The target application is now ready except for the identity propagator configuration. Follow the instructions below.

Configure the identity propagation

Identity propagation from the Loginapp (JSP) to the Loginapp REST UI can be done in different ways. This example uses a signed JWT transported in an HTTP cookie. This choice adheres to the following security-relevant aspects:

  • The HTTP cookie is transported via the Airlock Gateway (WAF)'s session store and is therefore never sent to the browser.
  • The recipient, i.e., the Loginapp REST UI is able to verify that the ticket was sent by the Loginapp (JSP) by verifying the signature and looking at the Issuer attribute.
  • 1.
    Go to:
    the Cookie Ticket Identity Propagator that you just added (see above).
  • 2.
    Use the following properties in the plugin:
  • Property
    JSP to SPA Session Ticket
    Cookie Name
    Ticket Service
    Use a Mapping Ticket Service plugin with the following mappings in property Content from Authentee:
    • Map Value Reference @username to Ticket Key username and make it mandatory.
    • Map Value Reference @roles to Ticket Key roles.
    Ticket Encoder
    Use a JWT Ticket Encoder plugin and configure it as described in the next step.
  • 3.
    In the JWT Ticket Encoder plugin use the following settings:
  • Identifier
    HTML to SPA Ticket Encoder
    Username Ticket Key
    Airlock IAM
    Use a plugin of type JWT Ticket HMAC Settings and choose a corresponding HMAC key.

    You will need the key again when configuring the signature verification plugin in Step 3 - Configure REST authentication flow for ticket extraction.

  • 4.
    Activate the configuration.
  • The configuration part concerning the Loginapp (JSP) is now complete.

Verify the configuration

To verify the configuration, you may do the following:

  • Make sure your browser does not have an authenticated session.Terminate existing session using the logout URL
  • Open the URL
  • This will result in an error or displaying the login page of the Loginapp REST UI, because the Loginapp REST UI has not yet been configured appropriately.

  • Open the Airlock Gateway (WAF) configuration center and go to Log & Report >> Session Viewer
  • Choose your session and click on it to view the details.
  • Verify that the Cookie Store contains a cookie with the name JSP_TO_SPA_TICKET.

Additionally, the Loginapp log files may be used for verification and troubleshooting. The following log statements are relevant:

  • The choice of the target application:
  • Choosing target application with URL pattern "^https://iam.ext.virtinc.comauth/ui/app/protected/.*$" because it matches the forward location "https://airlock/auth/ui/app/protected/tokens/airlock-2fa/devices"

  • Identity propagation:
  • Setting authentication ticket as cookie: JSP_TO_SPA_TICKET path="/" domain="" secure-flag: false

  • Redirection to Airlock 2FA self-service URL in the Loginapp REST UI:
  • Redirecting user to follow page ""