To make sure that unauthenticated HTTP requests to the Airlock 2FA self-service result in an HTTP redirect to the Loginapp (JSP) (and not the Loginapp REST UI) the Airlock Gateway (WAF) mapping(s) for IAM need to be adapted as follows.
Procedure-related prerequisites
- Access to the IAM mapping configuration on the affected Airlock Gateway (WAF) is required.
- One or more functioning IAM mappings exist.
Restrict access to protected self-services
- Open the Airlock Gateway (WAF) configuration center and log in.
- Open the affected IAM mapping and select the Access tab.
- Add the following entry to the list of Access restrictions:
- The Authentication flow must be set to Redirect.
- Set the Denied access URL to
/%ENTRYDIR%/check-login.
This may require selecting the Custom radio button. - Activate the configuration.
- The Airlock Gateway (WAF) now ensures that unauthenticated requests to the protected self-service part of the IAM are redirected to the Loginapp (JSP).
Property | Value |
|---|---|
HTTP Method |
|
Path |
|
Restricted to Roles |
|
Exchange the role authenticated with whatever role(s) relevant to your setup. Remember that access to Airlock 2FA self-services are granted with the specified role(s). The required role(s) should imply strong user authentication.
The resulting configuration should look like:
Verify the configuration
To verify the access restriction configuration, do the following:
- Make sure your browser does not have an authenticated session. Terminate existing session using the logout URL
https://iam.ext.virtinc.com/auth/logout. - Open the URL
https://iam.ext.virtinc.com/auth/ui/app/protected/tokens/airlock-2fa/devicesin the browser. - The browser should now be redirected to the Loginapp (JSP)'s login page.