TitelTable of contents1. Airlock Secure Access Hub1.1. Semantic versioning scheme for Airlock Secure Access Hub components2. About this document2.1. How information is structured in this manual2.2. Warning tiers in this document2.3. Additional panel types2.4. Advanced Lucene searches within this online help3. About Airlock IAM3.1. Reference architecture3.2. Overview of IAM interfaces3.3. IAM modules and databases/directories4. IAM 7.7 release notes4.1. Airlock IAM 7.7 - Actions required when upgrading4.2. Airlock IAM 7.7 - Features removed in this version4.3. Airlock IAM 7.7 - Deprecation announcement for future releases4.4. Airlock IAM 7.7 - Changelog 4.5. Upcoming changes in the tagging scheme on Docker Hub4.6. JSP-Loginapp Deprecation Announcement5. Security best practices5.1. Sensitive information5.2. Separation of IAM modules5.3. Requirements for a secure configuration5.3.1. Authentication concepts5.3.2. Identity propagation5.3.3. Self-services5.4. Privilege escalation prevention5.5. Operating system, Java runtime, network5.6. Security considerations Docker container usage5.7. Auditability5.8. Selection and parametrization of hash functions5.9. Custom extension development6. Installation and upgrade6.1. Quick start guide6.2. Data sources (databases, directories)6.2.1. Relational databases for IAM6.2.2. Generic LDAP directories for IAM6.2.3. Microsoft Active Directory (MSAD) for Airlock IAM6.3. Installation on a Linux host system6.3.1. Hardware and system requirements6.3.2. Installation with installer script6.3.3. Manual installation without installer script6.3.4. Getting started after installation6.4. IAM as Docker image6.4.1. Getting the Docker image6.4.2. Airlock Gateway (WAF) as Docker host6.4.3. Using the Docker image locally6.4.4. External secrets6.4.5. Storage and volumes6.4.6. Examples6.4.7. Troubleshooting 6.5. Upgrade Airlock IAM6.5.1. Upgrade a single installation (standard case)6.5.2. Upgrade and manage parallel installations (migration case)6.5.3. Alternative installation arrangements6.5.4. Airlock Gateway mapping upgrade6.5.5. Preparing IAM 7.7 for upgrading to 8.07. IAM Operation7.1. Starting and stopping Airlock IAM (system service integration)7.1.1. Creating systemd services7.1.2. Customizing systemd services7.1.3. Using systemd services with profiles7.2. Sandboxing with profiles7.2.1. Using profiles7.3. Generating Airlock IAM log output7.3.1. Log parameters, appenders, and files7.3.2. Log rotation7.4. Processing Airlock IAM log output7.4.1. Airlock IAM logging API7.4.2. Reporting with Elasticsearch and Kibana7.4.3. Integration with container environments (Docker, Kubernetes, Cloud)7.4.4. Custom log agent/data collector7.5. Log message formats7.5.1. "Main" log format7.5.2. Structured log format7.6. Monitoring/health checks7.6.1. Using systemd7.6.2. Health checks with liveness and readiness probes7.6.3. Java management extensions (JMX)7.7. Performance tuning and scaling best practices7.8. Data backup and restore7.9. Connection drop with slash and/or backslash in the username8. Initial configuration8.1. Airlock IAM instances directory8.1.1. Application parameters8.1.2. Airlock IAM instance configuration8.2. Config Editor quick start guide8.2.1. Step 1 – Access the Config Editor8.2.2. Step 2 – Save current configuration (for later restoration)8.2.3. Step 3 – Load the Demo configuration template8.2.4. Step 4 – Find the plugin to reconfigure8.2.5. Step 5 – Simple configuration change8.2.6. Step 6 – Create a new plugin configuration8.2.7. Step 7 – Activate changes8.2.8. Step 8 – Restore a previous configuration8.3. Airlock Gateway and Microgateway configuration for IAM8.3.1. Airlock Gateway for Airlock IAM configuration8.3.2. Airlock Microgateway for Airlock IAM configuration8.3.3. Securing Airlock IAM with HTTPS8.3.4. Airlock Gateway reports Status 503 or Status 400 when trying to access Airlock IAM (HTTP Header Size)8.4. User data source configuration (databases and directories)8.4.1. Configuration of user directories8.4.2. Configuration of token data storage8.5. Logging configuration8.5.1. Logging parameters8.5.2. Log4j 2 configuration files8.6. Using custom plugins in Airlock IAM9. Configuration management9.1. Configuration environments9.1.1. Configuration environments in the Config Editor9.1.2. Config example scenarios and usage9.2. Configuration contexts9.2.1. Planning configuration contexts9.2.2. How to configure and use configuration contexts9.2.3. Best practices - Configuration contexts and context retention policy9.3. Storing sensitive configuration values externally9.3.1. Storing sensitive configuration values using the Config Editor9.3.2. Storing sensitive configuration values using the IAM CLI (command-line interface)9.3.3. Using standard keystore tools9.3.4. Technical information9.4. IAM Config Editor (UI)9.4.1. Plugin trees9.4.2. Plugin overview9.4.3. Plugin properties9.4.4. Flow step plugins in IAM flows9.4.5. Sensitive configuration values (config secrets)9.4.6. View toggles9.4.7. Configuration validation9.4.8. Loading and saving a configuration9.4.9. Configuration activation timeout9.4.10. Configuration activation internals9.4.11. Standalone version of the Config Editor9.5. IAM Command-Line Interface (CLI)10. Authentication of end-users10.1. Interaction models for authentication10.1.1. Redirect interaction model10.1.2. REST interaction model10.1.3. One-shot interaction model10.2. Authentication methods in IAM10.2.1. Username and password authentication10.2.2. Airlock 2FA as the second factor with IAM10.2.3. FIDO authentication (WebAuthn, U2F, CTAP)10.2.4. mTAN/SMS authentication10.2.5. OATH OTP authentication10.2.6. Cronto authentication (OneSpan)10.2.7. Digipass OTP authentication (OneSpan)10.2.8. Email OTP authentication10.2.9. Matrix card authentication10.2.10. Kobil AST authentication10.2.11. ti&m Secure Mobile authentication10.2.12. Token authentication via RADIUS10.2.13. Client certificate for browser authentication (X.509)10.2.14. Front-side Kerberos authentication10.2.15. Front-side NTLM authentication10.2.16. Single sign-on (SSO) ticket authentication10.3. Remember-Me in authentication flows10.3.1. Keep me logged-in – persistent authentication between sessions10.3.2. Trust this browser/device – persistent 2nd-factor authentication10.4. Step-Up authentication10.4.1. Gateway (WAF)- vs. application-triggered step-up10.5. Risk-based authentication10.6. Failed login counters and temporary locking10.6.1. Temporary locking10.7. Username transformation: Login with multiple IDs10.7.1. User transformation configuration hints10.8. Maintenance messages10.8.1. Managing maintenance messages10.8.2. Maintenance messages examples in the Loginapp10.8.3. Maintenance messages usage and limitations10.8.4. Maintenance Message Locations10.9. User representation10.9.1. Terms and definitions in user representation10.9.2. User representation use cases10.9.3. User representation system design10.9.4. User representation flow diagrams10.10. Event-based subscriber notification10.10.1. Event producers10.10.2. Event attributes10.10.3. Event subscribers10.10.4. Configuration of e-mails event subscriber 10.10.5. Configuration of SMS event subscribers10.11. Actions when the user logs out11. Self-services for end-users11.1. Public self-services for end-users11.1.1. User registration self-service11.1.2. Unlock self-service11.2. Protected self-services for end-users11.2.1. Application portal11.2.2. User profile self-services11.2.3. User lockout self-service12. Target applications and services12.1. Target application selection12.2. Access control for end-users (authorization)12.2.1. Basic access control concepts12.2.2. Authorization of internal services12.3. Securing REST APIs/service APIs12.3.1. Using the flow authentication API with Airlock Gateway (WAF) sessions12.3.2. Using the flow authentication API with JWTs and one-shot authentication12.3.3. Using Device Tokens to authenticate mobile apps12.3.4. Using OAuth 2 for native apps (RFC 8252)12.4. Identity propagation12.5. Terms of service (ToC)12.6. PSD2 support12.6.1. PSD2 support in Airlock IAM12.6.2. NextGenPSD2 (Berlin Group) with Airlock Secure Access Hub12.6.3. STET PSD2 with Airlock components12.6.4. Technical client in IAM and tech-clients REST API12.6.5. Getting issuer certificates for PSD212.6.6. Technical client interceptors (custom plugin)13. OAuth 2.0 and OpenID Connect overview13.1. Conceptual overview of OAuth 2.0/OIDC13.1.1. OAuth 2.0 grant types13.1.2. Recommendations for designing solutions in the OAuth 2.0 framework13.1.3. OAuth and OIDC security best practices13.1.4. Terms and definitions13.2. Supported features (OAuth 2.0/OIDC)13.3. AS-centric OAuth 2.0 and OIDC 13.3.1. Conceptual overview of the AS-centric OAuth 2.0 and OIDC13.3.2. Usage of the AS-centric authorization server13.4. Client-centric OAuth 2.0/OIDC13.4.1. OAuth 2.0 / OpenID Connect authorization Code Grant (Client-centric)13.4.2. OAuth 2.0 Implicit Grant (Client-centric)13.4.3. OAuth 2.0 Token Introspection Endpoint (client-centric)13.4.4. OAuth 2.0 Token Revocation endpoint (client-centric)13.5. Airlock IAM as OAuth 2.0/OIDC client13.5.1. Airlock IAM as client (OAuth 2.0/OIDC)13.5.2. Account linking overview13.5.3. OAuth 2.0 SSO with single-page applications - a configuration example14. SAML 2.0 (conceptual information)14.1. SAML terms and definitions14.2. SAML web browser SSO with POST binding14.3. SAML web browser SSO with HTTP artifact binding14.4. SAML Single logout (SLO)14.5. How to set up a proxy for SAML artifact binding14.6. Troubleshooting SAML14.6.1. AuthnContext doesn't match RequestedAuthnContext14.6.2. Missing default AssertionConsumerService in SP metadata14.6.3. SLO exception in debug mode14.6.4. AuthnRequest for an unknown target application14.6.5. Entity IDs do not match14.6.6. SLO not working in SP14.6.7. Host flag not set or using withouth FQDN14.6.8. MetaAlias missing or entity IDs do not match14.6.9. NullPointerException processing SAML assertion in SP14.6.10. Mismatch in CoT list definition14.6.11. IDP entity ID not found in SP14.6.12. Unsupported SAML signature algorithms in IAM 7.6 and later15. API access control with Airlock Secure Access Hub15.1. Solution overview15.1.1. Terms and definitions15.1.2. Request processing (sequence diagram)15.1.3. API access control - how it works in detail15.2. Tech-Client management15.2.1. Profile management15.2.2. Plan management15.2.3. API key management15.3. API access control configuration for Airlock IAM and Airlock Gateway15.3.1. Configure the Airlock IAM API policy service15.3.2. Configure Tech-Client management in Airlock IAM16. Flows as Airlock IAM concept16.1. General information about Airlock IAM flows16.1.1. Flow processing internals16.1.2. Flow Engine interaction with REST API 16.1.3. Session tracking16.1.4. Mapping Flow steps to REST API next step codes16.2. Flow step properties16.3. Flow tags and red flags16.4. Flow selection and conditions16.5. Goto (flow concept)16.6. Dynamic step activation (DSA) - flow concept16.7. Failed factor attempts16.8. Flow error handling16.9. Protected Flows17. Airlock IAM Loginapp (module)17.1. JSP-Loginapp vs. Loginapp REST UI17.2. Loginapp REST API17.2.1. REST API service overview17.2.2. Authentication REST API17.2.3. User self-registration REST API17.2.4. Public self-service flows REST APIs17.2.5. Protected self-service REST APIs17.2.6. SAML IDP setup with the Loginapp REST API17.2.7. SAML SP setup with the Loginapp REST API17.2.8. Customizing non-UI-related text elements in the Loginapp REST API17.2.9. Additional attributes in REST responses17.3. Loginapp REST UI17.3.1. Loginapp REST UI configuration17.3.2. Loginapp REST UI SDK for REST UI customization17.3.3. Content Security Policy for the Loginapp REST UI17.4. JSP-Loginapp17.4.1. Authentication (JSP-Loginapp)17.4.2. Self-services (JSP-Loginapp)17.4.3. Securing applications with the JSP-Loginapp17.4.4. Application portal (JSP-Loginapp)17.4.5. Using OAuth and OIDC with the Loginapp17.4.6. SAML configuration in the JSP-Loginapp17.4.7. Consent management (GDPR)17.4.8. Maintenance messages in the JSP-Loginapp17.4.9. User representation configuration in the JSP-Loginapp17.4.10. Customizing text elements in the Loginapp (JSP)17.4.11. Customizing UI (look and feel) of the JSP-Loginapp17.4.12. Content Security Policy for the JSP-Loginapp17.5. Migrating from the JSP-Loginapp to the Loginapp REST UI17.5.1. Loginapp migration - why migrate?17.5.2. Loginapp migration - when to migrate?17.5.3. Loginapp migration - how to migrate?17.5.4. Loginapp migration - where to get help?17.5.5. JSP-Loginapp migration - feature reference17.5.6. Features discontinued with the JSP-Loginapp17.6. HTTP request authentication (Airlock One-Shot flow)17.6.1. One-Shot Configuration17.6.2. Example: Authenticate HTTP request with JWT17.6.3. ti&m secure mobile one-shot configuration17.6.4. Front-Side Kerberos configuration (one-shot flow) 17.6.5. NTLM configuration (one-shot flow)17.6.6. One-shot target application configuration for MS-OFBA17.7. OAuth 2.0 / OIDC configuration17.7.1. OAuth AS configuration - AS-centric17.7.2. OAuth AS configuration - client-centric17.7.3. Airlock IAM as OAuth 2.0/OIDC client configuration17.8. HTTP Basic Auth interface17.9. Event notification settings in the Loginapp18. Airlock IAM Adminapp (module)18.1. Adminapp REST API18.2. Password management in the IAM Adminapp18.3. Airlock 2FA token management configuration18.4. FIDO token management configuration18.5. Cronto Token Controller configuration18.6. Digipass OTP configuration18.6.1. Digipass OTP tokens in Users management menu (Adminapp)18.6.2. Digipass OTP tokens in Tokens management menu (Adminapp)18.6.3. Digipass OTP administrative use-cases18.7. Matrix card management in the Adminapp18.8. ti&m token management in the Adminapp18.9. Remember-Me configuration in Adminapp18.10. Generic token controller for token management in the Adminapp18.10.1. Generic token UI18.10.2. Generic token REST endpoint18.11. Maintenance messages in the Adminapp18.12. User-group dependent settings18.13. Admin roles and user groups in Adminapp18.13.1. Role-based access control18.13.2. Segregation of duties18.13.3. Segregation of users18.13.4. Privilege escalation protected administrator roles (PEPAR) in the Adminapp18.14. Realm administration18.14.1. Conceptual overview of Realm Administration18.14.2. Configuration of Realm Administration18.14.3. Usage of Realm Administration18.15. Event notification settings in the Adminapp18.16. Customizing text elements in the Adminapp19. Airlock IAM Service Container (module)19.1. RADIUS server19.1.1. Configure the RADIUS server for Airlock 2FA19.2. Cronto activation letter generation19.3. Airlock 2FA letter generation task19.4. Matrix card generation in the Service Container19.5. Customizing text elements in the Service Container19.6. Remember-Me token cleanup task configuration20. Airlock IAM Transaction approval (module)20.1. Transaction approval REST API20.1.1. Transaction approval flow selection20.1.2. User identifying step20.1.3. Parameter step and message providers20.1.4. Selection of authentication token and authTokenId usage20.1.5. Approval steps20.1.6. Message provider configuration20.1.7. Authentication of the delegating entity (REST client authentication)20.1.8. Transaction approval with Airlock 2FA20.1.9. Transaction approval with mTAN (SMS)20.1.10. Transaction approval with Cronto Push20.2. Customizing text elements in the Transaction Approval module20.3. Cronto message custom formatting for the Transaction Approval module21. REST APIs provided by IAM21.1. Authentication of REST requests21.2. Enforce SSL/TLS mutual authentication on REST endpoints21.2.1. Client certificate authentication21.2.2. Client authentication configuration options21.2.3. Certificate token authenticator configuration22. Customizing UIs and texts22.1. Changing text elements22.2. Customizing the Loginapp UI (look and feel)22.3. Report templates based on Word documents22.3.1. Plugins22.3.2. Parameter replacement22.3.3. Further examples using MessageFormat22.3.4. Extra information in password (and similar) letters23. Third-party licenses