Configuration - protected self-services

The configuration of protected self-services consists of two parts:

  • Protected Self-Service Flows
  • Arbitrary flows for logged-in users.
  • Configured in Loginapp >> Protected Self-Services >> Protected Self-Service Flows.
  • Access is protected by an access condition and an authorization condition.
  • Available steps (excerpt): Airlock 2FA token management, FIDO token registration, Cronto token management including push activation, mTAN token management, email change, context data change, account lock, password change, various approval steps.
  • Other protected services (not flows)
  • Specific non-flow self-services for logged-in users - typically to provide information to be edited in a protected self-service flow.
  • Configured in Loginapp >> Protected Self-Services.
  • Access is protected by an access condition and an authorization condition.
  • Available services: list the user's Airlock 2FA, Cronto, or mTAN tokens, list of available flows.
  • Usually, the service is called before starting a protected self-service flow.

Typical self-service flow structure

The steps that are required for a particular self-service entirely depend on the purpose of the service. However, they often follow this sequence:

1. First step

The first step allows the user to provide some information or to execute some action. If data is provided during this step, the step typically validates the data provided to ensure it is properly formatted.
Example: user-supplied e-mail address or phone number.

If an action is to be executed, the step validates that the action is acceptable.
Example: a token deletion step could prevent the user from deleting the last token and therefore prevent a lock-out from the account.

2. Verification step (optional)

One or more optional verification steps. Such steps are used to verify that the information supplied is correct.
Example: An e-mail message is sent to the new address to ensure the e-mail address is correct.

3. Persistence Step

The persistence step writes the user-provided information or the results of the action into the user account.

How to configure a protected self-service flow

  1. Go to:
    Loginapp >> Protected Self-Services >> Protected Self-Service Flows
  2. Create a new Flow
  3. Configure a Flow ID.
    • The Flow ID is a mandatory attribute of the flow. This name is used by API clients as part of the URL to start this flow.

      • Changing the Flow ID may break existing REST clients from functioning.

  4. Configure a list of steps.
    • A list of one or more steps that configure the flow.

    Airlock IAM provides a large number of steps for different purposes:

    • context data management (email address, postal address, login alias, etc.)
    • token management (Airlock 2FA, Cronto, mTAN, password)
    • verification steps (Airlock 2FA, Cronto, mTAN)
    • persistence of changes
  5. Configure Access Condition and Authorization Condition for the flow.
    • A protected self-service flow can only be started successfully if the access and authorization conditions for the flow are met. Use Always Selectable to omit to check of conditions.
    • Every protected self-service flow requires the user to be authenticated. This is an implicit requirement and it is always applicable.

Note that there are default flow plugins pre-configuring useful self-service flows.

The Default mTAN Token Registration Flow plugin, for example, automatically configures all necessary flow steps as well as access and authorization.

Default flow plugins help to reduce the configuration complexity at the cost of less flexibility. They document the flow steps they are using internally and may be explicitly modeled by manually configuring the corresponding flow steps if more flexibility is needed.