Planning configuration contexts

The use of configuration contexts requires thorough planning and careful configuration. The following content guides you through those two stages.

Step 1 - Determine the configuration context

For every HTTP request sent to Airlock IAM (e.g. answer an authentication request), the active configuration context is determined, in order to select the corresponding configuration.

  1. The configuration context is determined as follows:
  2. Look at the current HTTP request: using the configured context extractor plugin.
  3. The context retention policy decides whether to use the context:
    1. for every request
    2. for the whole session

There are several context extractor plugins. Custom context extractor plugins can be written if required.

Example plugins:

Plugin Name

Description

URL Context Extractor

Determines the configuration context by matching the URL (as seen by the browser; including the domain) against a list of configured rules.

Note that for the Loginapp REST UI, the considered request URLs are the ones on the REST requests sent to the server and not the URLs displayed in the browser's address bar.

Forward Location Context Extractor
(only for JSP-Loginapp)

Determines the configuration context by matching the URL of the accessed target application against a list of configured rules.

For this extractor to work, the forward location must be part of a URL sent to the IAM server. It does therefore not work with the Loginapp REST UI when sending a Location parameter to the browser running the web application.

This context extractor plugin will no more be available as of IAM 8.0.

IP Address Context Extractor

Determines the configuration context by matching the client (browser) IP address against a list of configured rules.

Client Certificate Context Extractor

Determines the configuration context by matching information from a client certificate (mutual SSL) against a list of configured rules.

HTTP Parameter Context Extractor

Determines the configuration context by matching an HTTP parameter against a list of configured rules.

For this extractor to work, the IAM server must be able to extract the HTTP parameter from the HTTP request.

The parameter can be part of the URL (GET request with query parameters) or be available POST request data but not part of a JSON body.

The usage of this extractor for the Loginapp REST API is therefore limited to GET requests with query parameters.

Static Context Extractor

Uses a statically configured context.

There are plugins combining several of the above methods: Combining Context Extractor and Concatenating Context Extractor.

To get a full list of existing context extractor plugins, please open the Config Editor and add a new context extractor plugin.

Step 2 - Context-dependent configuration

  • Every configuration property may be defined differently for each configuration context.
  • If no context-specific value is configured for a given context, the default context value is used.

Thus, only the values that are really context-dependent – these are typically very few – must be configured for each context. All the rest of the configuration is defined only once.