Configuration of application and service mappings

Depending on the used IAM features, use the corresponding Denied Access URL and Authentication Flow in the Airlock Gateway mapping of the application or service protected by Airlock IAM:

IAM Feature	Denied Access URL	Authentication Flow
Loginapp (JSP) (HTML/JSP based, form-based login application)	`<loginapp-uri>/check-login` Using `/login` instead does not work with certain features such as step-up authentication. Using `/check-login` will not propagate the Forward Location to the Loginapp REST UI.	Redirect
Loginapp REST UI	`<loginapp-uri>/ui/app/auth/application/access` `<loginapp-uri>/ui/app/auth/logout` The `/check-login` entry point of the JSP-Loginapp also works with the Loginapp REST UI if (and only if) the JSP-Loginapp is not configured (no Loginapp >> Authentication Settings present in the configuration). Make sure to enable Loginapp >> Miscellaneous Settings >> Keep Location Parameter: the setting ensures that a target application URL passed to `/check-login` as `Location` parameter is preserved for the Loginapp REST UI. Note that this option does not work correctly due to a bug in IAM versions up to (including) IAM 7.4.2.	Redirect
HTTP request authentication (Airlock One-Shot flow) Securing REST APIs/service APIs Front-side Kerberos authentication (with one-shot flow)	`<loginapp-uri>/login-oneshot`	One-shot
Airlock Gateway (WAF) and IAM configuration for NextGenPSD2 Airlock Gateway (WAF) configuration for STET PSD2	`<loginapp-uri>/login-oneshot`	One-shot with body
Web service authentication using client certificates	`<loginapp-uri>/ws-auth`	One-shot
Front-side Kerberos authentication (with redirect flow)	`<loginapp-uri>/check-spnego`	Redirect
Front-side NTLM authentication	`<loginapp-uri>/check-ntlm`	Front-side NTLM