This article provides background information and tips for Airlock 2FA configuration.
Connection to Futurae cloud (Futurae server)
Airlock 2FA is based on Futurae's authentication solution and connects to the Futurae cloud unless you have an on-premises installation of it. In both cases, the plugin Futurae Server defines how to connect to it and what service account to use.
- The Service ID, Auth API Key, and Admin API Key are part of the service subscription.
- The URLs and timeouts in the Advanced Settings sections do not have to be changed unless you are using a special setup.
- The Trust and Keystore Settings may be used for enhanced security of the connection to the Futurae cloud. If no trust store is configured, the global web server trust store is used (application parameters).
It is essential that the authenticity of the Futurae cloud can be verified. It is therefore mandatory to use HTTPS instead of HTTP and that the configured trust store is limited to trustworthy issuers.
The communication between Airlock IAM and the Futurae cloud includes digital signatures and timestamps. It is therefore essential that the clock of the Airlock IAM deployments are in synch with global time.
If the Airlock IAM clock deviates from global time more than 60 seconds, requests are rejected by the Futurae cloud (401 Unauthorized response).
Failed logins counter threshold
The Futurae cloud counts failed authentication attempts. After a certain threshold of failed attempts, accounts will be locked. Because Airlock IAM also locks user accounts after a certain amount of failed login attempts, the lockout thresholds must be chosen with care.
- Recommendation for lockout thresholds when using Airlock 2FA
- Make sure the lockout threshold in IAM is smaller than the one in the Futurae cloud.
- The maximum lockout threshold in the Futurae cloud is 40. Do not choose a higher value in IAM.
The default value for the maximum lockout threshold can be configured in the service settings of the Futurae cloud. The default value is automatically used for new users.
When creating a new Futurae service, a default of 15 is used. Make sure to increase this value if a larger lockout threshold is used in Airlock IAM.
To do so, open the Futurae admin console, select the service account's settings, open the Configuration tab, and set the value for USER DEFAULT MAX ATTEMPTS.
Data synchronization with Futurae cloud
For each IAM user account using Airlock 2FA features, a user account is automatically created in the Futurae cloud. In order to keep the the user accounts between Airlock IAM and the Futurae cloud in synch, a listener plugin has to be configured in the IAM's user database configuration.
This is especially imporant to make sure that user accounts deleted in Airlock IAM are also removed in the Futurae clould.
- Go to:
MAIN SETTINGS >> Data Sources >> User Data Source >> Database User Persister
.alternatively go to: Loginapp >> User Store >> Database User Persister. - Open the property group Event Listener Settings.
- In property User Change Event Listeners, add plugin Airlock 2FA Consistency User Change Listener to the list if it is not yet present.
- Configure the plugin by selecting the Airlock 2FA Settings plugin used for authentication.