1. Table of contents
Titel
Table of contents
1. Airlock Secure Access Hub
1.1. Semantic versioning scheme for Airlock Secure Access Hub components
2. How information is structured in this manual
2.1. Leveled prerequisites
2.2. Warning tiers in this document
2.3. Additional panel types
2.4. Advanced Lucene searches within this online help
3. About Airlock IAM
3.1. Reference architecture
3.2. Overview of IAM interfaces
3.3. IAM modules and databases/directories
4. IAM 7.6 release notes
4.1. Airlock IAM 7.6 - Actions required when upgrading
4.2. Airlock IAM 7.6 - Features removed in this version
4.3. Airlock IAM 7.6 - Deprecation announcement for future releases
4.4. Airlock IAM 7.6 - Changelog
4.5. Upcoming changes in the tagging scheme on Docker Hub
4.6. JSP-Loginapp Deprecation Announcement
5. Security best practices
5.1. Sensitive information
5.2. Separation of IAM modules
5.3. Requirements for a secure configuration
5.3.1. Authentication concepts
5.3.2. Identity propagation
5.3.3. Self-services
5.4. Privilege escalation prevention
5.5. Operating system, Java runtime, network
5.6. Security considerations Docker container usage
5.7. Auditability
5.8. Selection and parametrization of hash functions
5.9. Custom extension development
6. Installation and upgrade
6.1. Quick start guide
6.2. Data sources (databases, directories)
6.2.1. Relational databases for IAM
6.2.2. Generic LDAP directories for IAM
6.2.3. Microsoft Active Directory (MSAD) for Airlock IAM
6.3. Installation on a Linux host system
6.3.1. Hardware and system requirements
6.3.2. Installation with installer script
6.3.3. Manual installation without installer script
6.3.4. Getting started after installation
6.4. IAM as Docker image
6.4.1. Getting the Docker image
6.4.2. Airlock Gateway (WAF) as Docker host
6.4.3. Using the Docker image locally
6.4.4. External secrets
6.4.5. Storage and volumes
6.4.6. Examples
6.4.7. Troubleshooting
6.5. Upgrade Airlock IAM
6.5.1. Upgrade a single installation (standard case)
6.5.2. Upgrade and manage parallel installations (migration case)
6.5.3. Alternative installation arrangements
6.5.4. Airlock Gateway mapping upgrade
7. IAM Operation
7.1. Starting and stopping Airlock IAM (system service integration)
7.1.1. Using systemd
7.2. Sandboxing with profiles
7.2.1. Using profiles
7.3. Airlock IAM log outputs
7.3.1. Log parameters, appenders, and files
7.3.2. Log rotation
7.4. Logging and reporting pipeline (Elasticsearch, Kibana)
7.4.1. Airlock IAM logging API
7.4.2. Reporting with Elasticsearch and Kibana
7.4.3. Integration with container environments (Docker, Kubernetes, Cloud)
7.4.4. Custom log agent/data collector
7.4.5. Log messages
7.5. Monitoring/health checks
7.5.1. Using systemd
7.5.2. Health checks with liveness and readiness probes
7.5.3. Java management extensions (JMX)
7.6. Performance tuning and scaling best practices
7.7. Data backup and restore
7.8. Connection drop with slash and/or backslash in the username
8. Initial configuration
8.1. Application parameters
8.2. Basic configuration tutorials (introductory)
8.2.1. Introduction
8.2.2. Configuration step-by-step walkthrough
8.3. Airlock Gateway and Microgateway configuration for IAM
8.3.1. Airlock Gateway for Airlock IAM configuration
8.3.2. Airlock Microgateway for Airlock IAM configuration
8.3.3. Securing Airlock IAM with HTTPS
8.3.4. Airlock Gateway reports Status 503 or Status 400 when trying to access Airlock IAM (HTTP Header Size)
8.4. User data source configuration (databases and directories)
8.4.1. Configuration of user directories
8.4.2. Configuration of token data storage
8.5. Logging configuration
8.5.1. Logging parameters
8.5.2. Log4j 2 configuration files
8.6. Using custom plugins in Airlock IAM
9. Configuration management
9.1. Configuration environments
9.1.1. Config example scenarios and usage
9.1.2. Activation of configuration environments
9.1.3. Configuration environments in the Config Editor
9.2. Context dependent configuration
9.2.1. Basic preparation steps
9.2.2. How to configure configuration contexts
9.2.3. Best practices - Configuration contexts and context retention policy
9.3. Storing sensitive configuration values externally
9.3.1. Storing sensitive configuration values using the Config Editor
9.3.2. Storing sensitive configuration values using the IAM CLI (command-line interface)
9.3.3. Using standard keystore tools
9.3.4. Technical information
9.4. IAM Config Editor (UI)
9.4.1. Plugin trees
9.4.2. Plugin overview
9.4.3. Plugin properties
9.4.4. Sensitive configuration values (config secrets)
9.4.5. View toggles
9.4.6. Configuration validation
9.4.7. Loading and saving a configuration
9.4.8. Configuration activation timeout
9.4.9. Configuration activation internals
9.4.10. Standalone version of the Config Editor
9.5. IAM Command-Line Interface (CLI)
10. Authentication of end-users
10.1. Interaction models for authentication
10.1.1. Redirect interaction model
10.1.2. REST interaction model
10.1.3. One-shot interaction model
10.2. Authentication methods in IAM
10.2.1. Username and password authentication
10.2.2. Airlock 2FA as the second factor with IAM
10.2.3. FIDO authentication (WebAuthn, U2F, CTAP)
10.2.4. mTAN/SMS authentication
10.2.5. OATH OTP authentication
10.2.6. Cronto authentication (OneSpan)
10.2.7. Digipass OTP authentication (OneSpan)
10.2.8. Matrix card authentication
10.2.9. Kobil AST authentication
10.2.10. ti&m Secure Mobile authentication
10.2.11. Token authentication via RADIUS
10.2.12. Client certificate for browser authentication (X.509)
10.2.13. Front-side Kerberos authentication
10.2.14. Front-side NTLM authentication
10.2.15. Single sign-on (SSO) ticket authentication
10.3. Remember-Me in authentication flows
10.3.1. Keep me logged-in – persistent authentication between sessions
10.3.2. Trust this browser/device – persistent 2nd-factor authentication
10.4. Step-Up authentication
10.4.1. Gateway (WAF)- vs. application-triggered step-up
10.5. Failed login counters and temporary locking
10.5.1. Temporary locking
10.6. Username transformation: Login with multiple IDs
10.6.1. User transformation configuration hints
10.7. Maintenance messages
10.7.1. Managing maintenance messages
10.7.2. Maintenance messages examples in the Loginapp
10.7.3. Maintenance messages usage and limitations
10.7.4. Maintenance Message Locations
10.8. User representation
10.8.1. Terms and definitions in user representation
10.8.2. User representation use cases
10.8.3. User representation system design
10.8.4. User representation flow diagrams
10.9. Event-based subscriber notification
10.9.1. Event producers
10.9.2. Event attributes
10.9.3. Event subscribers
10.9.4. Configuration of event subscriber e-mails
10.10. Actions when the user logs out
11. Self-services for end-users
11.1. Public self-services for end-users
11.1.1. User registration self-service
11.1.2. Unlock self-service
11.2. Protected self-services for end-users
11.2.1. Application portal
11.2.2. User profile self-services
11.2.3. User lockout self-service
12. Target applications and services
12.1. Target application selection
12.2. Access control for end-users (authorization)
12.2.1. Basic access control concepts
12.2.2. Authorization of internal services
12.3. Securing REST APIs/service APIs
12.3.1. Using the flow authentication API with Airlock Gateway (WAF) sessions
12.3.2. Using the flow authentication API with JWTs and one-shot authentication
12.3.3. Using Device Tokens to authenticate mobile apps
12.3.4. Using OAuth 2 for native apps (RFC 8252)
12.4. Identity propagation
12.5. Terms of service (ToC)
12.6. PSD2 support
12.6.1. PSD2 support in Airlock IAM
12.6.2. NextGenPSD2 (Berlin Group) with Airlock Secure Access Hub
12.6.3. STET PSD2 with Airlock components
12.6.4. Technical client in IAM and tech-clients REST API
12.6.5. Getting issuer certificates for PSD2
12.6.6. Technical client interceptors (custom plugin)
13. OAuth 2.0 and OpenID Connect overview
13.1. Conceptual overview of OAuth 2.0/OIDC
13.1.1. OAuth 2.0 grant types
13.1.2. Recommendations for designing solutions in the OAuth 2.0 framework
13.1.3. OAuth and OIDC security best practices
13.1.4. Terms and definitions
13.2. Supported features (OAuth 2.0/OIDC)
13.3. AS-centric OAuth 2.0 and OIDC
13.3.1. Conceptual overview of the AS-centric OAuth 2.0 and OIDC
13.3.2. Usage of the AS-centric authorization server
13.4. Client-centric OAuth 2.0/OIDC
13.4.1. OAuth 2.0 / OpenID Connect authorization Code Grant (Client-centric)
13.4.2. OAuth 2.0 Implicit Grant (Client-centric)
13.4.3. OAuth 2.0 Token Introspection Endpoint (client-centric)
13.4.4. OAuth 2.0 Token Revocation endpoint (client-centric)
13.5. Airlock IAM as OAuth 2.0/OIDC client
13.5.1. Airlock IAM as client (OAuth 2.0/OIDC)
13.5.2. Account linking overview
13.5.3. OAuth 2.0 SSO with single-page applications - a configuration example
14. SAML 2.0 (conceptual information)
14.1. SAML terms and definitions
14.2. SAML web browser SSO with POST binding
14.3. SAML web browser SSO with HTTP artifact binding
14.4. SAML Single logout (SLO)
14.5. How to set up a proxy for SAML artifact binding
14.6. Troubleshooting SAML
14.6.1. AuthnContext doesn't match RequestedAuthnContext
14.6.2. Missing default AssertionConsumerService in SP metadata
14.6.3. SLO exception in debug mode
14.6.4. AuthnRequest for an unknown target application
14.6.5. Entity IDs do not match
14.6.6. SLO not working in SP
14.6.7. Host flag not set or using withouth FQDN
14.6.8. MetaAlias missing or entity IDs do not match
14.6.9. NullPointerException processing SAML assertion in SP
14.6.10. Mismatch in CoT list definition
14.6.11. IDP entity ID not found in SP
15. API access control with Airlock Secure Access Hub
15.1. Solution overview
15.1.1. Terms and definitions
15.1.2. Request processing (sequence diagram)
15.1.3. API access control - how it works in detail
15.2. Tech-Client management
15.2.1. Profile management
15.2.2. Plan management
15.2.3. API key management
15.3. API access control configuration for Airlock IAM and Airlock Gateway
15.3.1. Configure the Airlock IAM API policy service
15.3.2. Configure Tech-Client management in Airlock IAM
16. Flows as Airlock IAM concept
16.1. General information about Airlock IAM flows
16.1.1. Flow processing internals
16.1.2. Flow Engine interaction with REST API
16.1.3. Mapping Flow steps to REST API next step codes
16.1.4. Session tracking
16.2. Flow step properties
16.3. Flow tags and red flags
16.4. Flow selection and conditions
16.5. Goto (flow concept)
16.6. Dynamic step activation (DSA) - flow concept
16.7. Failed factor attempts
16.8. Flow error handling
16.9. Protected Flows
17. Loginapp (module)
17.1. JSP-Loginapp vs. Loginapp REST UI
17.2. Loginapp REST API
17.2.1. REST API service overview
17.2.2. Authentication REST API
17.2.3. User self-registration REST API
17.2.4. Public self-service flows REST APIs
17.2.5. Protected REST APIs (self-services)
17.2.6. SAML IDP setup with the Loginapp REST API
17.3. Loginapp REST UI
17.3.1. Loginapp REST UI configuration
17.3.2. Loginapp REST UI SDK for REST UI customization
17.3.3. Content Security Policy for the Loginapp REST UI
17.4. JSP-Loginapp
17.4.1. Authentication (JSP-Loginapp)
17.4.2. Self-services (JSP-Loginapp)
17.4.3. Securing applications with the JSP-Loginapp
17.4.4. Application portal (JSP-Loginapp)
17.4.5. Using OAuth and OIDC with the Loginapp
17.4.6. SAML configuration in the JSP-Loginapp
17.4.7. Consent management (GDPR)
17.4.8. Maintenance messages in the JSP-Loginapp
17.4.9. User representation configuration in the JSP-Loginapp
17.4.10. Customizing text elements in the Loginapp (JSP)
17.4.11. Customizing UI (look and feel) of the JSP-Loginapp
17.4.12. Content Security Policy for the JSP-Loginapp
17.5. Migrating from the JSP-Loginapp to the Loginapp REST UI
17.5.1. Loginapp migration - why migrate?
17.5.2. Loginapp migration - when to migrate?
17.5.3. Loginapp migration - how to migrate?
17.5.4. Loginapp migration - where to get help?
17.5.5. JSP-Loginapp migration - feature reference
17.5.6. Features discontinued with the JSP-Loginapp
17.6. HTTP request authentication (Airlock One-Shot flow)
17.6.1. One-Shot Configuration
17.6.2. ti&m secure mobile one-shot configuration
17.6.3. Front-Side Kerberos configuration (one-shot flow)
17.6.4. NTLM configuration (one-shot flow)
17.6.5. MS-OFBA configuration as one-shot target application
17.7. OAuth 2.0 / OIDC configuration
17.7.1. OAuth AS configuration - AS-centric
17.7.2. OAuth AS configuration - client-centric
17.7.3. Airlock IAM as OAuth 2.0/OIDC client configuration
17.8. HTTP Basic Auth interface
17.9. Event notification settings in the Loginapp
18. Adminapp (module)
18.1. Adminapp REST API
18.2. Airlock 2FA token management configuration
18.3. FIDO token management configuration
18.4. Cronto Token Controller configuration
18.5. Digipass OTP tokens in user management (Adminapp)
18.6. Digipass OTP tokens in token management (Adminapp)
18.7. Matrix card management in the Adminapp
18.8. ti&m token management in the Adminapp
18.9. Remember-Me configuration in Adminapp
18.10. Generic token controller for token management in the Adminapp
18.10.1. Generic token controller
18.10.2. Generic token UI
18.10.3. Generic token REST endpoint
18.11. Maintenance messages in the Adminapp
18.12. User-group dependent settings
18.13. Admin roles and user groups in Adminapp
18.13.1. Role-based access control
18.13.2. Segregation of duties
18.13.3. Segregation of users
18.13.4. Privilege escalation protected administrator roles (PEPAR) in the Adminapp
18.14. Realm administration
18.14.1. Conceptual overview of Realm Administration
18.14.2. Configuration of Realm Administration
18.14.3. Usage of Realm Administration
18.15. Event notification settings in the Adminapp
18.16. Customizing text elements in the Adminapp
19. Service Container (module)
19.1. RADIUS server
19.1.1. Configure the RADIUS server for Airlock 2FA
19.2. Cronto activation letter generation
19.3. Airlock 2FA letter generation task
19.4. Matrix card generation in the Service Container
19.5. Customizing text elements in the Service Container
19.6. Remember-Me token cleanup task configuration
20. Transaction approval (module)
20.1. Transaction approval REST API
20.1.1. User identifying step
20.1.2. Parameter step and message providers
20.1.3. Selection of authentication token and AuthTokenId usage
20.1.4. Approval steps
20.1.5. Message provider configuration
20.1.6. Authentication of the delegating entity (REST client authentication)
20.1.7. Transaction approval with Airlock 2FA
20.1.8. Transaction approval with mTAN (SMS)
20.1.9. Transaction approval with Cronto Push
20.2. Customizing text elements in the Transaction Approval module
20.3. Customizing Cronto message formatting for the Transaction Approval module
21. REST APIs provided by IAM
21.1. Enforce SSL/TLS mutual authentication on REST endpoints
21.1.1. Client certificate authentication
21.1.2. Client authentication configuration options
21.1.3. Certificate token authenticator configuration
22. Customizing UIs and texts
22.1. Changing text elements
22.2. Customizing the Loginapp UI (look and feel)
22.3. Report templates based on Word documents
22.3.1. Plugins
22.3.2. Parameter replacement
22.3.3. Further examples using MessageFormat
22.3.4. Extra information in password (and similar) letters
23. Third-party licenses
