- Configure the Airlock IAM OAuth 2 Client, i.e. an Oauth2 Target Application: see OAuth 2 / OpenID Connect Configuration: Airlock IAM as Authorization Server
- One-Shot End-Point in IAM: (Loginapp >> Airlock One-Shot Authentication)
- Add a target application for the protected service and configure it as follows:
- Credential Extractor: use plugin Bearer Token HTTP Header Extractor (as Token Credential).
- Authenticator: use plugin OAuth 2 Access Token Authenticator with the Authorization Server Settings used in the above Oauth2 target application.
- Failure Responses: configure responses as desired - always use responses of type FINAL_RESPONSE.
- Identity Propagator: as required by back-end application.
- URL pattern: according to the back-end application.
- Airlock Credentials: Choose sensitive Airlock Gateway (WAF) credential timeouts.
- Airlock Gateway (WAF) Configuration
- Make sure the Gateway (WAF)'s IAM mapping has the allow rules for Oauth2 enabled
- Create a mapping for the protected service(s)
- As Denied access URL, use
/<iam-mapping-entry-path>/login-oneshot - From the Authentication flow drop-down, select One-Shot
- Enable bearer token session tracking in the Security Gate Expert Settings (on both the IAM mapping and the protected services mapping(s)):
Shared One-Shot Configuration
The one-shot settings can be used for multiple protected services. Choose the URL pattern property to match all services for which the same settings apply.
Session.Tracking.ExternalToken.Enable "TRUE"