If a Airlock Gateway (WAF) user session does not have the required roles to access the target application, the Gateway (WAF) redirects the user's browser to IAM (/check-login end-point) to either:
- authenticate the user
- do a step-up
- just do ID propagation (no user interaction)
With the redirect to IAM (/check-login end-point), the URL of the page originally requested by the user is passed to IAM in the "Location" URL-parameter. Thus IAM knows what URL the user is trying to access.
"Forward Location" in IAM
The URL the user tries to access is called forward location in IAM.
It is used by IAM to:
- identify the right target application configuration
- how to authorize the user (required roles, access policy)
- what other restrictions apply (e.g. terms of services)
- where to redirect the user's browser to after all these checks are passed
- know how to do identity propagation
Thus, the Target Application Configuration is the place to put application specific information for Airlock IAM.
It roughly holds the following information:
- URLs: URLs defining the application; allowed entry points, etc.
- Identity Propagation: how to tell the target application who the user is (and potentially other information such as roles)
- Authorization: information used for advanced authorization concepts (e.g. step-up)
- Portal: settings used in Airlock IAM application portal
- Federation: settings around federation (maps user to user IDs in target applications)
The basic settings required to integrate a target application is described below. For more details on specific properties, please consult the documentation in the application settings page within the Config Editor or separate tutorials, where available.