Using gateway-generated cookies for session tracking

In this configuration example, we use HTTP cookies between the REST client and Airlock Gateway which works primarily for browser-based clients.

For non-browser-based REST clients, see Gateway configuration in article Using header tokens for session tracking.

A mixed setup with REST and browser-based clients usually requires a split setup with two VirtualHost configurations on the Airlock Gateway. One with cookie-based tracking and one with header tracking configuration.

1. Go to:
   Loginapp >> Applications and Authentication
2. Add a target application for the protected service and configure the properties.
• Refer to the plugin documentation when configuring the following properties:
• Application ID
• Authentication Flow
• Airlock Gateway Roles
• Identity Propagation

See also Authentication REST API for more information.

1. Go to:
   Loginapp >> section OpenID Connect, OAuth, SAML, One-Shot
2. In property One-Shot Authentication, create and edit a One-Shot Authentication Settings plugin.
3. In property Default Target Application/Service, add and configure a Target Application/Service plugin.
4. In property Credential Extractor you may choose either
1. Bearer Token HTTP Header Extractor (as Token Credential) with an arbitrary header name,

OR

2. Static Username Password Extractor with arbitrary configuration.
   It does not matter which one to configure because we will always send back an HTTP 401 response by configuring a denying authenticator.
5. In property Authenticator, set Denying Authenticator (one-shot must always fail in this scenario).
6. In property Failure Responses, configure an HTTP Status Code 401 and a Workflow FINAL_RESPONSE setting.
7. In property Identity Propagator, configure a No Identity Propagator plugin.
8. In property URL Pattern, set the pattern according to the protected services. Note that the one-shot settings can be used for multiple protected services by choosing a URL pattern that matches all services for which the same settings apply.

• An Airlock IAM mapping must be configured in Airlock Gateway in all cases:
• For general Airlock Gateway mapping-related information, see chapter Airlock Gateway and Microgateway configuration for IAM.
• For a One-Shot configuration of Airlock Gateway, see chapter HTTP request authentication (Airlock One-Shot flow).

The IAM One-Shot end-point configured above returns an HTTP 401 without looking at the request's credentials.
This can also be achieved by the Airlock Gateway alone (no IAM involved) using the following Security Gate Expert Settings on the protected service's Gateway mapping:

Authentication.Implicit.Enable                 "TRUE"
Authentication.Implicit.ErrorPath              "/error_path/one-shot.asis"

• Follow-up task:
• Create a corresponding asis-error page with the desired HTTP 401 response and update the Gateway error pages. See Airlock Gateway documentation Authorization and authentication.

Additional configuration information can be found in specific Airlock Gateway release documentation. For the latest Gateway release, follow the external links below.

• Internal links:
• Using header tokens for session tracking

• External links:
• Cookie-based session tracking (latest Airlock Gateway release documentation)
• Session cookie path and domain configuration on Tab – Advanced (Virtual Host detail page setting) (latest Airlock Gateway release documentation)